Rule Pack Catalog

34 rule packs,
three tiers

24 community packs run offline from the CLI. 3 Team-tier packs add advanced detection. 7 Enterprise packs cover HIPAA, PCI-DSS, SOC2, GDPR, and behavioral analytics.

Browse, enable, and disable from the CLI: pullminder packs list

34
Packs
210+
Community Rules
11
Languages
10
Premium Packs
Community · Default

Free · offline · on every PR

7 default-on community packs

Installed automatically for every project. Turn any of them off with pullminder packs disable <slug>.

secrets detection

Detects hardcoded secrets, API keys, tokens, and connection strings.

44 rules
infra-security detection

CI/CD, Docker, Kubernetes, Terraform, and GitHub Actions security patterns.

17 rules
bot-detection detection

Identifies and adapts analysis for bot-authored PRs.

sensitive-paths detection

Flags modifications to security-critical directories.

dependency-detection detection

Detects dependency manifest and lockfile changes.

test-conventions detection

Test gap detection with configurable source dirs, test patterns, and coverage thresholds.

review-quality detection

Configurable thresholds for diff size and files changed.

Community · Optional

Free · enable on demand

17 optional community packs

Language-specific security, compliance mapping, and targeted detections. Enable with pullminder packs enable <slug>.

ai-detection
Platform detection

Detects AI-generated code via co-author trailers, branch patterns, and tool files. Runs on the Pullminder platform only.

go-security
detection

Go security patterns: SQL injection, command injection, TLS, unsafe usage.

14 rules
python-security
detection

Python security: injection, deserialization, and framework misconfigurations.

16 rules
rust-security
detection

Rust security: unsafe blocks, FFI boundaries, and deprecated crypto.

14 rules
ruby-security
detection

Ruby security: eval injection, mass assignment, and Rails vulnerabilities.

14 rules
php-security
detection

PHP security: command injection, file inclusion, and XSS.

15 rules
react-security
detection

React/JS XSS, DOM manipulation, prototype pollution, and open redirect patterns.

15 rules
java-security
detection

Java security: SQL injection, XXE, deserialization.

10 rules
csharp-security
detection

C# security: SqlCommand injection, BinaryFormatter.

8 rules
kotlin-security
detection

Kotlin/Android security: WebView, SharedPreferences, exports.

6 rules
swift-security
detection

Swift/iOS security: ATS bypass, keychain, biometric auth.

6 rules
shell-security
detection

Shell/Bash security: eval injection, curl-pipe, chmod.

7 rules
crypto-anti-patterns
detection

Language-agnostic weak crypto detection (MD5, DES, ECB, small keys).

8 rules
pii-leakage
detection

Detects PII (SSN, credit cards, emails, phones) in logging and output contexts.

6 rules
migration-safety
detection

Detects dangerous SQL migration patterns (DROP TABLE, type changes, missing defaults).

5 rules
license-risk
detection

Flags copyleft license introductions (GPL, AGPL, SSPL) in dependency manifests.

5 rules
owasp-mapping
policy

Maps detection rules to OWASP Top 10 categories for compliance reporting.

Team Tier

Premium · auto-sync on Team plans

3 Team-tier packs

Advanced detection beyond the community catalog. Packs sync automatically from the premium registry once an organization is on the Team plan — no manual install step.

ai-detection-advanced

Advanced AI-generated code detection with comment signatures, boilerplate patterns, and multi-signal correlation.

ai-senior-review

Senior-engineer patterns: error swallowing, race conditions, N+1 queries, insecure defaults, debug code in production.

sensitive-paths-adaptive

56+ sensitive path patterns across auth, secrets, infrastructure, CI/CD, database, network, compliance, and financial directories.

Enterprise Tier

Premium · auto-sync on Enterprise plans

7 Enterprise-tier packs

Compliance detection (HIPAA, PCI-DSS, SOC2, GDPR) and behavioral analytics. See the compliance pack mapping for exactly what each compliance pack detects.

hipaa-compliance

HIPAA detection for PHI exposure, unencrypted health data, missing audit trails, and insecure transmission.

pci-dss

PCI-DSS detection for credit card numbers, CVV storage, weak encryption, missing tokenization, and cardholder data leaks.

soc2-controls

SOC2 controls for access logging, security middleware, session management, rate limiting, RBAC, and data classification.

gdpr-data-handling

GDPR detection for PII in logs, missing consent, cross-border transfers, retention violations, and data minimization.

org-velocity-anomaly

Behavioral analysis of PR velocity — unusually large PRs, rapid-fire submissions, off-hours commits, bulk deletions.

author-risk-profiling

Author risk — new contributors on sensitive paths, high revert rates, dormant accounts, external collaborators, email domain mismatches.

cross-pr-correlation

Cross-PR correlation — split-PR attacks, dependency+code pairings, revert-then-reintroduce, CI config paired with test removal.

Note: compliance packs are detection layers, not certifications. See honest scope for what they do and do not do.

Bring your own packs

Need rules we don't ship?

The CLI scaffolds and manages custom rule registries for your organization. Add, validate, test, and upgrade packs with a versioned schema — then point .pullminder.yml at your registry.

$ pullminder registry init my-rules # scaffold a registry
$ pullminder registry pack add acme-sql # new pack from template
$ pullminder rules test # fixture-based rule testing
$ pullminder registry validate # schema validation
$ pullminder rules publish # publish to a registry

Point .pullminder.yml at any registry — your own, the public community registry, or the premium registry that syncs automatically on Team and Enterprise plans.

Browse the full reference

Every rule inside each pack, with severities, examples, and overrides.

Pack reference CLI docs