← all rules

code/ai-demo-disclaimer

“Not production-ready” disclaimer left in code

lowAI-generated codeai-generatedCWE-1059any

What it detects

A generated disclaimer ("in a real application you would…", "for demonstration purposes only", "this is a simplified example", "don't do this in production") signals the surrounding code was scaffolded, not hardened — frequently next to a missing check or an insecure shortcut. Review the adjacent code for the control the comment admits is absent.

How it runs

Applied line-by-line across source files, INCLUDING comments (the disclaimers and TODO markers are the signal). Matches placeholder credential literals, deferred-security TODO/FIXME comments, "not for production" disclaimers, and swallowed exceptions. The detector's own rule prose is skipped so the scanner doesn't flag itself.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.