Per-repo security policy file. Define custom rules, suppress false positives, remap severities, and set enforcement thresholds — enforced consistently across all three CodeSlick surfaces.
Add a .codeslick.yml to your repo root. Absence of the file means CodeSlick uses its defaults — no regression.
version: "1"
prohibit:
- pattern: "eval\s*\("
message: "eval() is prohibited — use JSON.parse() or a safe alternative."
severity: critical
thresholds:
block_pr_on: [critical, high]
fail_cli_on: [critical]Place this file at the root of your repository (same directory as package.json or .git/).
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| version | "1" | required | — | Schema version. Currently always "1". |
| prohibit | Rule[] | optional | [] | Rules that ban matching patterns. A match is a finding. |
| require | Rule[] | optional | [] | Rules that require patterns to be present. Absence is a finding. |
| overrides | Override[] | optional | [] | Remap or suppress built-in CodeSlick check results. |
| thresholds | Thresholds | optional | see below | Control when the CLI fails and when PRs are blocked. |
| exclude | string[] | optional | [] | Glob patterns for files to skip entirely (no analysis). |
Ban patterns from appearing in source files. Each match becomes a finding at the specified severity.
| Field | Required | Description | ||
|---|---|---|---|---|
| pattern | string | required | — | Regular expression applied to each line of source text. |
| message | string | required | — | Message shown to the developer when the pattern is found. |
| severity | severity | required | — | critical | high | medium | low |
| in | string[] | optional | all files | Glob patterns scoping this rule. Omit to apply to all files. |
| id | string | optional | — | Stable rule ID. Required if you want to reference this rule in overrides. |
prohibit:
# Ban eval() in all TypeScript source files
- pattern: "eval\s*\("
message: "eval() is prohibited. Use JSON.parse() or a sandboxed Function()."
severity: critical
in: ["src/**/*.ts", "src/**/*.tsx"]
# Ban hardcoded secrets from being logged
- pattern: "console\.log.*(password|secret|token|key)"
message: "Logging credentials to console is a data leak."
severity: high
# Ban HS256 JWT algorithm (weak for production)
- pattern: "algorithm.*HS256|HS256.*algorithm"
message: "HS256 prohibited — use RS256 or ES256 for JWTs."
severity: high
in: ["src/**/*.ts"]
id: "local-jwt-001"Enforce that patterns are present in matched files. If no matched file contains the pattern, a finding is created.
| Field | Required | Description | ||
|---|---|---|---|---|
| in | string[] | required | — | Glob patterns for files that must contain the pattern. |
| pattern | string | required | — | Regular expression that must be present in matched files. |
| message | string | required | — | Message shown when the pattern is absent. |
| severity | severity | required | — | critical | high | medium | low |
| id | string | optional | — | Stable rule ID for use in overrides. |
require:
# All API route files must import the rate limiter
- in: ["src/app/api/**/*.ts"]
pattern: "rateLimit|RateLimitPresets"
message: "All API routes must apply rate limiting."
severity: high
# All auth-related files must include an audit log call
- in: ["src/lib/auth/**/*.ts"]
pattern: "auditLog|audit_log"
message: "Auth operations must emit audit log events."
severity: mediumRemap the severity of built-in CodeSlick checks, or suppress them entirely for known false positives. Overrides apply to built-in analyzer checks (e.g. CS-JS-001), not to custom prohibit/ require rules.
Suppress with care. A suppressed check stops producing findings for matched files. Always include a reason — it is required when suppress: true.
| Field | Required | Description | ||
|---|---|---|---|---|
| rule | string | required | — | Built-in check ID to override (e.g. CS-JS-001, CS-PY-014). |
| severity | severity | optional | — | New severity. Omit if you only want to suppress. |
| suppress | true | optional | — | If true, suppress all findings from this check in matched files. |
| in | string[] | optional | all files | Scope this override to specific files. Omit = global. |
| reason | string | optional | — | Required when suppress: true. Explain why. |
overrides:
# Escalate SQL injection findings to critical for this repo
- rule: CS-JS-001
severity: critical
# Suppress a known false positive in analyzer source files
- rule: CS-JS-045
suppress: true
in: ["src/lib/analyzers/**"]
reason: "Analyzer source contains intentional vulnerable patterns as detection signatures."
# Downgrade a low-signal check
- rule: CS-TS-023
severity: lowFind check IDs in CodeSlick scan output — they appear as CS-JS-001, CS-PY-014, etc. in the id field of each finding.
Control when CodeSlick blocks a PR or fails a pre-commit hook. Omit the entire thresholds key to use the defaults.
| Field | Required | Default | Description | |
|---|---|---|---|---|
| block_pr_on | severity[] | optional | [critical, high] | Severities that cause the GitHub App to block a PR. |
| fail_cli_on | severity[] | optional | [critical] | Severities that cause the CLI pre-commit hook to exit 1. |
| max_findings | number | optional | 0 (no limit) | Block if total findings exceed this count. 0 = no count-based limit. |
Severity order: critical > high > medium > low
# Default — block PRs on critical+high, fail pre-commit on critical only
thresholds:
block_pr_on: [critical, high]
fail_cli_on: [critical]
# Strict — block on anything medium or above
thresholds:
block_pr_on: [critical, high, medium]
fail_cli_on: [critical, high]
# Count-based gate — block if total findings exceed 10
thresholds:
block_pr_on: [critical, high]
fail_cli_on: [critical]
max_findings: 10Skip files entirely. Excluded files are not scanned by any check — neither built-in checks nor custom prohibit/ require rules. Uses glob patterns.
exclude:
# Skip analyzer source files — they contain intentional vulnerable patterns
- "src/lib/analyzers/**"
# Skip generated code
- "src/generated/**"
- "**/*.generated.ts"
# Skip vendored third-party code
- "vendor/**"The same .codeslick.yml is read by all three CodeSlick surfaces. One policy, consistent enforcement everywhere.
Reads .codeslick.yml from the repo root before scanning staged files. Exits 1 if fail_cli_on thresholds are met.
npx codeslick installReads .codeslick.yml from the PR head commit. Posts a failing status check if block_pr_on thresholds are met.
Install via GitHub Marketplace.
Use check_security_policy to evaluate your policy at generation time in Cursor or Claude Desktop.
check_security_policy({
"repo_path": "/path/to/repo"
})A complete .codeslick.yml showing all six top-level fields.
version: "1"
# ── Custom rules ──────────────────────────────────────────────────────────────
prohibit:
- pattern: "eval\s*\("
message: "eval() is prohibited. Use JSON.parse() or a safe alternative."
severity: critical
in: ["src/**/*.ts", "src/**/*.tsx"]
- pattern: "console\.log.*(password|secret|token|key)"
message: "Logging credentials to console is a data leak."
severity: high
require:
- in: ["src/app/api/**/*.ts"]
pattern: "rateLimit|RateLimitPresets"
message: "All API routes must apply rate limiting."
severity: high
# ── Built-in check overrides ───────────────────────────────────────────────────
overrides:
- rule: CS-JS-001
severity: critical
- rule: CS-JS-045
suppress: true
in: ["src/lib/analyzers/**"]
reason: "Analyzer source contains intentional vulnerable patterns as detection signatures."
# ── Enforcement gates ──────────────────────────────────────────────────────────
thresholds:
block_pr_on: [critical, high]
fail_cli_on: [critical]
max_findings: 0
# ── Exclusions ────────────────────────────────────────────────────────────────
exclude:
- "src/lib/analyzers/**"
- "**/*.generated.ts"
- "vendor/**"Start with CodeSlick free. Add .codeslick.yml when you need custom rules.