Rule packs
Rule packs are bundles of detection patterns and policy checks that Pullminder runs against every pull request. Each pack targets a specific concern — leaked secrets, language-specific vulnerabilities, workflow standards, and more. When a pattern matches a line in the PR diff, Pullminder creates a finding that feeds into the risk score.
Detection packs vs policy packs
Section titled “Detection packs vs policy packs”Pullminder ships two kinds of rule packs:
- Detection packs use regex pattern matching against the PR diff to find security issues, risky code patterns, and notable changes. Each pattern targets specific languages or file types and carries a severity level.
- Policy packs enforce team workflow standards such as test naming conventions, PR description quality, and commit message formatting. They evaluate structural properties of the PR rather than individual lines of code.
Both kinds of packs produce findings that contribute to the overall risk score.
How packs are evaluated
Section titled “How packs are evaluated”On every pull request event (open, synchronize, reopen), Pullminder fetches the diff and runs it through all enabled packs in order:
- Each enabled pack iterates over its patterns.
- Each pattern is matched against the relevant files in the diff, filtered by language and path.
- When a pattern matches, Pullminder creates a finding with the pattern’s severity, category, and suggested fix.
- Findings are scored using the pack’s scoring model and aggregated into the PR risk score.
Packs that do not match any file in the diff produce no findings and have zero impact on the score.
Actions
Section titled “Actions”Every pack declares an action that determines what happens when it produces findings:
| Action | Behavior | Used by |
|---|---|---|
flag | Add findings to the risk score and include them in the reviewer brief. This is the default. | Available as an override for any pack |
warn | Post an inline comment on the PR for each finding. Findings also contribute to the risk score. | Most packs (language security, governance, policy, bot-detection, ai-detection, dependency-detection, sensitive-paths) |
block | Set the Pullminder status check to “failure” so the PR cannot be merged until findings are resolved. | secrets, infra-security |
You can override the action for any pack in the dashboard under Settings > Rule packs.
Default packs vs optional packs
Section titled “Default packs vs optional packs”Pullminder enables a set of default packs out of the box. These cover the most common concerns and require no configuration. Optional packs target specific languages or advanced use cases and must be enabled explicitly.
Available packs
Section titled “Available packs”The following packs are available from the official Pullminder registry at github.com/pullminder/registry.
Detection packs
Section titled “Detection packs”| Slug | Name | Description | Default |
|---|---|---|---|
secrets | Secrets | Leaked API keys, tokens, passwords, and credentials in code | Yes |
go-security | Go Security | SQL injection, command injection, and unsafe pointer usage in Go | No |
python-security | Python Security | Unsafe deserialization, eval, and SQL injection in Python | No |
rust-security | Rust Security | Unsafe blocks and memory safety issues in Rust | No |
ruby-security | Ruby Security | Mass assignment, command injection, and common Rails vulnerabilities | No |
php-security | PHP Security | SQL injection, file inclusion, and remote code execution in PHP | No |
react-security | React Security | XSS vectors, unsafe innerHTML, and client-side injection in React/JSX | No |
infra-security | Infrastructure Security | Dockerfile, Kubernetes, Terraform, and CI/CD misconfiguration | Yes |
bot-detection | Bot Detection | PRs opened by bots and automated tools | Yes |
ai-detection | AI Detection | AI-generated code detection patterns | Yes |
dependency-detection | Dependency Detection | Lockfile and manifest changes (package.json, go.sum, etc.) | Yes |
java-security | Java Security | SQL injection, XXE, deserialization in Java | No |
csharp-security | C# Security | SqlCommand injection, BinaryFormatter in C# | No |
kotlin-security | Kotlin Security | WebView, SharedPreferences, exported component issues in Kotlin/Android | No |
swift-security | Swift Security | ATS bypass, keychain, biometric auth issues in Swift/iOS | No |
shell-security | Shell Security | Eval injection, curl-pipe, chmod issues in Shell/Bash | No |
sensitive-paths | Sensitive Paths | Changes to auth, crypto, permissions, and infrastructure files | Yes |
Governance and cross-cutting packs
Section titled “Governance and cross-cutting packs”| Slug | Name | Description | Default |
|---|---|---|---|
ai-senior-review | AI Senior Review Required | Requires senior reviewer approval for high-risk AI-generated PRs | Yes |
pii-leakage | PII Leakage Detection | Detects PII (SSN, credit cards, emails) in logging and output contexts | No |
crypto-anti-patterns | Cryptographic Anti-Patterns | Language-agnostic weak crypto detection (MD5, DES, ECB, small keys) | No |
migration-safety | Migration Safety | Dangerous SQL migration patterns (DROP TABLE, type changes, missing defaults) | No |
license-risk | License Risk Detection | Flags copyleft license introductions (GPL, AGPL, SSPL) in dependency manifests | No |
owasp-mapping | OWASP Top 10 Mapping | Maps detection rules to OWASP Top 10 categories for compliance reporting | No |
Policy packs
Section titled “Policy packs”| Slug | Name | Description | Default |
|---|---|---|---|
test-conventions | Test Conventions | Test naming, coverage thresholds, and file organization standards | Yes |
review-quality | Review Quality | PR description completeness, commit message format, and review standards | Yes |
Managing packs
Section titled “Managing packs”Via the CLI
Section titled “Via the CLI”# List all available packs and their statuspullminder packs list
# Enable an optional packpullminder packs enable go-security
# Disable a default packpullminder packs disable bot-detectionVia the dashboard
Section titled “Via the dashboard”Navigate to Settings > Rule packs in the Pullminder dashboard. Each pack shows its current status, the number of findings it has produced, and a toggle to enable or disable it. You can also override the action (flag, warn, block) for each pack from this view.
Custom registries
Section titled “Custom registries”In addition to the official registry, you can configure a custom private registry for proprietary rule packs. Custom registries use the same pack format and can be hosted as a Git repository or served from an HTTP endpoint. See the Authoring custom packs guide for details on creating your own packs and registries.