The Rubric

Files that do too much. We count actual code lines — comments, blanks, and docstrings don't count. A 600-line file with 200 lines of comments is really a 400-line file.

Threshold: 400+ code lines (low), 500+ (medium), 750+ (high)

Counts control flow nesting only — if/else/for/while/try/catch. Not object literals, not JSX structure, not config nesting. Single-line returns like `if (x) return y` don't count.

Threshold: 5 levels (low), 6-7 (medium), 8+ (high)

Catches copy-paste patterns where the same logic lives in multiple places. Compares content similarity, not just file names.

Threshold: 3+ files with same base name and ≥50% content overlap

A catch block that catches an error and does nothing with it. This is almost never what you want.

Threshold: Any catch block with no code inside

Logging an error isn't handling it. If the user can't tell something went wrong, you're just hiding problems.

Threshold: Catch blocks that only console.log the error

A high density of console.log usually means debug code left behind in production. We're not counting console.warn or console.error — those are often intentional.

Threshold: 5+ console.log calls in a single file

We look for .test.*, .spec.*, test_*, and files in /test/ directories. If we find nothing, that's a critical finding.

Threshold: Zero test files in the entire repo

Even if test files exist, there should be a way to run them. We look for test, test:unit, test:e2e, and test:integration scripts.

Threshold: Node.js project with no test script in package.json

Compares total lines of test code to total lines of source code. Below 10% means you're barely testing anything.

Threshold: Below 10% (high), 10-29% (medium)

If we can see your .env file, so can everyone else. This usually means secrets are exposed.

Threshold: Any .env file present in the repo

Detects OpenAI keys (sk-...), GitHub tokens (ghp_...), AWS keys (AKIA...), and general api_key/password/secret assignments with string values.

Threshold: API keys, passwords, tokens in source code

A high dependency count increases attack surface, bundle size, and the odds of supply chain issues.

Threshold: 60+ production deps (high), 45-59 (medium)

Without a lock file, every install might get different versions. We look for package-lock.json, yarn.lock, pnpm-lock.yaml, and bun.lockb.

Threshold: Dependencies present but no lock file

Having both axios and node-fetch? Both moment and dayjs? Pick one. We check 8 categories: HTTP clients, utilities, dates, frameworks, test runners, loggers, validators, and CSS-in-JS.

Threshold: 2+ packages that do the same thing

A repo without a README is a repo nobody can use. Even a few lines explaining what it does and how to run it is better than nothing.

Threshold: No README.md file in the repo

An auto-generated or placeholder README with just a title and nothing else. We want to see at least what it does and how to run it.

Threshold: Fewer than 5 lines of content

We're not looking for comments on every line. But a large file with almost no comments suggests the author didn't stop to explain any of the non-obvious logic.

Threshold: Below 2% comment ratio in files with 200+ lines