0 rules across 0 skills — open source

Know what to check —
before you merge.

An AI-native code review knowledge base. Structured rules with bad-to-good examples, CWE/OWASP mappings, and detection hints that your AI coding agent actually understands.

Browse SkillsJoin Waitlist
enable-rls-on-every-table.md
---
title: Enable RLS on Every Table
impact: CRITICAL
detection_grep: "CREATE TABLE public\."
---

CREATE TABLE public.documents (
  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
  owner_id uuid REFERENCES auth.users(id),
  title text NOT NULL,
  content text
);
-- No RLS! Any user with the anon key can read/write all documents.

CREATE TABLE public.documents (
  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
  owner_id uuid REFERENCES auth.users(id),
  title text NOT NULL,
  content text
);

ALTER TABLE public.documents ENABLE ROW LEVEL SECURITY;

-- Users can only see their own documents
CREATE POLICY "users read own documents"
  ON public.documents FOR SELECT
  USING (owner_id = auth.uid());

-- Users can only insert documents they own
CREATE POLICY "users insert own documents"
  ON public.documents FOR INSERT
  WITH CHECK (owner_id = auth.uid());

-- Users can only update their own documents
CREATE POLICY "users update own documents"
  ON public.documents FOR UPDATE
  USING (owner_id = auth.uid())
  WITH CHECK (owner_id = auth.uid());

-- Users can only delete their own documents
CREATE POLICY "users delete own documents"
  ON public.documents FOR DELETE
  USING (owner_id = auth.uid());
Rules for frameworks you already useNext.jsSupabaseWordPressSOLID Architecture
The problem

Code review is broken

Existing tools leave critical gaps between what gets caught and what ships to production.

01

Linters catch syntax, not logic

ESLint finds unused variables, not missing auth checks. Your linter won't tell you that a server action is missing CSRF protection.

✓ no-unused-vars
✓ no-console
✗ missing-auth-check
✗ csrf-protection
02

AI tools review without context

Generic AI code reviews give shallow, inconsistent feedback. Without structured rules, every review is a coin flip of what gets caught.

"Looks good to me"

"Consider error handling"

"No issues found"

03

OWASP docs aren't actionable

Security standards describe vulnerabilities in the abstract. Developers need framework-specific bad-to-good examples they can act on immediately.

A03:2021 — Injection

"An application is vulnerable when user-supplied data is not validated, filtered, or sanitized…"

The solution

What BeforeMerge does differently

A knowledge base built for the age of AI-assisted development. Structured rules that both humans and AI agents can understand.

Structured rule format

Every rule has frontmatter metadata, bad-to-good code examples, impact levels, and detection hints. Machine-readable by design.

AI-native from day one

Rules are written for AI agents to consume. Install a skill, and your Claude Code, Cursor, or Codex session loads the rules automatically.

CWE & OWASP mapped

Every security rule maps to CWE identifiers and OWASP Top 10 categories. Compliance teams get traceability, developers get context.

Framework-specific

Not generic advice. Rules target Next.js App Router patterns, Supabase RLS, WordPress hooks, and SOLID architecture in practice.

The skills

19 skills, 172 rules

Each skill is a focused collection of code review rules for a specific framework or domain. Install only what you need.

Accessibility

4 rules
View rules

API Design

4 rules
View rules

Architecture

20 rules
  • SOLID principles
  • Repository pattern
  • Service layers
  • Dependency direction
View rules

beforemerge-wordpress-review

21 rules
  • Hook security
  • SQL injection (wpdb)
  • Nonce verification
  • Object caching
View rules

CI/CD & DevOps

3 rules
View rules

Error Handling

2 rules
View rules

Git

3 rules
View rules

Managed Databases

3 rules
View rules

MySQL & MariaDB

4 rules
View rules

Next.js

35 rules
  • App Router security
  • Server Actions
  • Performance patterns
  • XSS prevention
View rules

Node.js Security

4 rules
View rules

PostgreSQL

7 rules
View rules

React

21 rules
View rules

SQL & Databases

5 rules
View rules

Supabase

22 rules
  • RLS policies
  • Auth patterns
  • SQL injection
  • Connection pooling
View rules

Tailwind CSS

3 rules
View rules

Testing

3 rules
View rules

TypeScript

5 rules
View rules

Web Performance

3 rules
View rules

Install any skill with npx skills add BeforeMerge/beforemerge-skills --skill <name>

Rule format

Every rule follows a structured format

Rules are Markdown files with YAML frontmatter. The consistent structure makes them parseable by AI agents and easy for humans to contribute.

1

Frontmatter metadata

Every rule starts with structured YAML frontmatter: title, impact severity (CRITICAL/HIGH/MEDIUM/LOW), CWE and OWASP mappings for compliance, detection patterns for automated scanning, and categorization tags.

This metadata powers AI agents, scanner tools, and compliance reports — all from a single source of truth.

2

Bad code example

A realistic, framework-specific code snippet that demonstrates the vulnerability or anti-pattern exactly as it appears in production codebases.

Written to match real-world patterns — not contrived textbook examples. Your AI agent learns what to flag.

3

Good code example

The corrected version showing the secure, performant, or idiomatic way to write the same code, with explanatory inline comments.

AI agents use this to suggest specific fixes, not just point out problems. Developers see exactly what to change.

4

Detection patterns

Semgrep patterns, grep commands, and regex hints that automated tools use to find potential violations across entire codebases in seconds.

These auto-generate scanner configurations — connect a repo, and BeforeMerge starts finding issues immediately.

sec-rls-every-table.md
---
title: Enable RLS on Every Table
impact: CRITICAL
cwe: ["CWE-862"]
owasp: ["A01:2021"]
detection_grep: "create table"
tags: [security, supabase, rls]
---

## Enable RLS on Every Table

**Impact: CRITICAL**

Every Supabase table must have Row Level
Security enabled or data is publicly
accessible.

-- Bad: Table without RLS
create table posts (
  id uuid primary key,
  user_id uuid references auth.users,
  content text
);
-- Anyone can read/write all posts

-- Good: RLS enabled with policy
create table posts (
  id uuid primary key,
  user_id uuid references auth.users,
  content text
);
alter table posts enable row level security;
create policy "Users manage own posts"
  on posts for all
  using (auth.uid() = user_id);
Get started

Get started in 30 seconds

No dashboard to configure. No CI pipeline to set up. One command, instant code review intelligence.

01

Install in one click or one command

Click the Install button on any rule, or run one CLI command. Works with Claude Code, Cursor, GitHub Copilot, Windsurf, Cline, Codex, Aider, and Continue.

$ npx @beforemerge/cli install nextjs-security --type skills
02

AI agent loads the rules

Your AI coding agent reads the structured rules automatically. Add them to your project config — the agent understands what to look for.

Claude CodeCLAUDE.md
# Rules Include: https://beforemerge.com/api/v1/public/rules/no-eval
Cursor.cursorrules
# Security Rules @beforemerge/nextjs-security
Windsurf.windsurfrules
# Code Review @beforemerge/react-best-practices
03

Get actionable feedback

Instead of vague suggestions, you get specific, framework-aware review feedback with bad-to-good examples and compliance mappings.

Early Access

Be first to know when BeforeMerge launches

We're building a SaaS platform that automatically scans your PRs against these rules. Join the waitlist for early access.

No spam. Unsubscribe anytime. We'll only email about launch updates.

Open source

Open source, MIT licensed

All 172rules are open source and free to use. The skills repo is community-driven — contribute new rules, improve existing ones, or build skills for new frameworks.

terminal
$ git clone beforemerge-skills
$ cd beforemerge-skills
$ cp templates/rule.md skills/my-skill/
# Write your rule, open a PR
Star on GitHubContribute a Rule