Every finding names the rule that produced it. This is the complete catalog; the
same definitions ship machine-readably in
capabilities and in every JSON meta block.
Architecture
| Rule | Severity | Fires when |
|---|
circular-dependency | high | An elementary dependency cycle A -> … -> A exists among modules |
| boundary rules (your name) | configurable | An import crosses a [[rules.boundaries]] declaration with allowed = false |
banned-import/<name> | configurable | An import matches a [[rules.banned_imports]] pattern |
Security (code)
| Rule | Severity | Fires when |
|---|
security/secret | critical | A hardcoded credential — provider pattern (AWS, Stripe, …) or high-entropy value in a secret-named binding |
security/eval | high | Dynamic code execution: eval, new Function |
security/command-exec | high | OS command execution (exec / execSync / spawn on a child-process module; os.system / subprocess.*; exec.Command; process::Command) |
security/weak-hash | medium | Obsolete hashing algorithm (MD5 / SHA-1) |
security/cors | medium | Permissive CORS: origin: "*" or setHeader("Access-Control-Allow-Origin", "*") |
Taint flows
| Rule | Severity | Fires when user-controlled input may reach… |
|---|
taint/eval | critical | …dynamic code execution |
taint/command | critical | …OS command execution |
taint/writes | high | …a database write (injection candidate) |
taint/reads | medium | …a database read |
Taint findings are explicit reachability over-approximations — see
how to read them.
Dependencies
| Rule | Severity | Fires when |
|---|
audit/osv | per advisory (default high) | A declared dependency matches a known OSV advisory |
unlisted-dependency | medium | A package is imported but missing from every package.json (phantom dependency) |
unused-dependency | low | A manifest dependency is never imported (opt-in: [index] detect_unused_deps) |
unused-dev-dependency | low | A devDependency is never imported, invoked by a script, or config-loaded (opt-in) |
unused-optional-dependency | low | An optionalDependency is never imported or invoked by a script (opt-in) |
Dead code
| Rule | Severity | Fires when |
|---|
unused-export | low | An export is reachable but imported by no reachable module |
unused-type | low | A type-only export (interface/type alias) is never imported |
unused-file | low | A file is reachable from no entry point and imported by nothing |
Code health
| Rule | Severity | Fires when |
|---|
complexity | medium/high | A function exceeds the cyclomatic/cognitive complexity thresholds |
long-function | low/medium | A function exceeds the unit-size thresholds (75 / 150 source lines) |
long-parameter-list | low/medium | A function has too many parameters (7 / 10) |
Hygiene
| Rule | Severity | Fires when |
|---|
stale-suppression | low | An ovecc-ignore comment suppresses no finding — it would silently swallow the next real finding on its line |
Suppressing findings
Inline, per line: // ovecc-ignore, // ovecc-ignore-next-line, or # ovecc-ignore
in Python — the finding is dropped at index time. Per repository:
the baseline ratchet. Auto-fixable rules
are remediated by ovecc fix.