code/ai-todo-security
Security control deferred with a TODO/FIXME
What it detects
A TODO/FIXME/HACK comment defers a security control (auth, authorization, validation, sanitization, CSRF, encryption). AI-generated scaffolding routinely stubs these out and leaves the marker; the endpoint then ships without the control. Implement it or gate the code behind a feature flag until it exists.
How it runs
Applied line-by-line across source files, INCLUDING comments (the disclaimers and TODO markers are the signal). Matches placeholder credential literals, deferred-security TODO/FIXME comments, "not for production" disclaimers, and swallowed exceptions. The detector's own rule prose is skipped so the scanner doesn't flag itself.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.