← all rules

code/ai-todo-security

Security control deferred with a TODO/FIXME

mediumAI-generated codeai-generatedCWE-710any

What it detects

A TODO/FIXME/HACK comment defers a security control (auth, authorization, validation, sanitization, CSRF, encryption). AI-generated scaffolding routinely stubs these out and leaves the marker; the endpoint then ships without the control. Implement it or gate the code behind a feature flag until it exists.

How it runs

Applied line-by-line across source files, INCLUDING comments (the disclaimers and TODO markers are the signal). Matches placeholder credential literals, deferred-security TODO/FIXME comments, "not for production" disclaimers, and swallowed exceptions. The detector's own rule prose is skipped so the scanner doesn't flag itself.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.