Sentinel rules reference

Every Sentinel rule that ships with v1.0 — the 10 built-in HEX/NAM/SEC/TEST rules implemented in Go and the 11 documented YAML-loadable rules in the ARC/SEC/QC/DEPS families.

Updated: 2026-04-30

This is the canonical list of every Sentinel rule shipping with Korva v1.0. The first ten are implemented in Go inside the binary; the remaining are documented templates you can drop in .korva/rules/<rule-id>.yaml to enable.

Built-in rules (Go)

Hexagonal architecture

ID	Severity	Detects
HEX-001	Error	Domain layer importing from infrastructure or application
HEX-002	Error	Application layer importing from infrastructure
HEX-003	Error	`console.*` in `src/` (excluding tests)
HEX-004	Error	`new XAdapter(...)` outside `*.module.ts`
HEX-005	Warning	`: any` without a `// korva-ignore: <reason>`

Naming

ID	Severity	Detects
NAM-001	Error	Suffix `Dto` instead of `DTO`
NAM-002	Error	DI port token not `SCREAMING_SNAKE_CASE`
NAM-003	Warning	Files in `/adapters/` not following `*.adapter[.variant].ts`

Security

ID	Severity	Detects
SEC-001	Error	Hardcoded secrets — `password`, `api_key`, `secret`, `token` literals

Testing

ID	Severity	Detects
TEST-001	Warning	Tests in `__tests__/` or `test/` instead of co-located

Documented rules (YAML, opt-in)

Drop a <rule-id>.yaml file into .korva/rules/ and Sentinel will load it. The full canonical reference lives in sentinel/rules/AGENTS.md in the public repo.

Architecture (ARC-*)

ID	Detects
ARC-001	Imports of frameworks (`express`, `nestjs`, `prisma`…) inside domain/core
ARC-002	Functions over 25 LOC or DB calls inside HTTP handlers
ARC-003	`db.query`, `prisma.`, `mongoose.` outside repository/store

Security (SEC-* extensions)

ID	Detects
SEC-002	`logger.info(password)`, `console.log(token)` with sensitive variable names
SEC-003	Direct equality (`==`/`===`) over token / secret / HMAC / signature (timing attack)
SEC-004	CORS with `origin: ""` or `Access-Control-Allow-Origin: `
SEC-005	SQL in template literals with interpolation
SEC-006	`/admin`, `/internal`, `/users/:id` routes without auth middleware

Quality control (QC-*)

ID	Detects
QC-001	`console.log`, `debugger;`, `breakpoint()` in `src/`
QC-002	`: any` / `as any` without justification

Dependencies (DEPS-*)

ID	Detects
DEPS-001	Imports of vulnerable packages (`lodash<4.17.21`, `moment`, `node-serialize`, `eval()`)

Suppressions

Inline comment on the same line as the violation:

const publicData: any = response.data // korva-ignore: external API, no static type available

A bare // korva-ignore (no reason) is itself a violation.

Profiles

Profile	Active rules	Use case
`minimal`	SEC-001	Just starting
`standard` (default)	HEX-001/002/003 + SEC-001	Most teams
`strict`	All built-in rules	Mature teams

Pick the profile via --profile <name> or set KORVA_SENTINEL_PROFILE.

Adding a custom rule

Drop my-rule.yaml into .korva/rules/.
Specify a regex pattern, file glob, severity (error / warning), and a one-line message.
Run korva sentinel check to verify it fires where you expect.
Commit it — your team picks it up automatically when they pull.

Output formats

# Text — humans
korva sentinel check

# JSON — CI / tooling
korva-sentinel --format json

JSON shape:

{
  "scanned": 12,
  "passed": 10,
  "failed": 2,
  "findings": [
    {
      "rule": "SEC-001",
      "severity": "error",
      "file": "src/auth/AuthService.ts",
      "line": 14,
      "message": "Hardcoded secret detected",
      "snippet": "const secret = \"sk_live_4xK9mP...\""
    }
  ]
}