critiq.devHigh
ts.security.hardcoded-credentialsAvoid literal secrets in source. Load signing keys from the environment or your secrets manager.
TSsrc/user/auth.ts
12 export function signSession(user: User) {13- const secret = "sk_live_7f3a9c2e1b4d";13+ const secret = process.env.SESSION_SIGNING_SECRET;14 return jwt.sign({ sub: user.id }, secret);Every finding ties to a rule you can read.
Critiq reviews your code against explicit rules; no black-box guesses. Read, test, and tune every finding before you merge.
- Transparent Rules
- Privacy First
- Developer Focused
What is Critiq OSS?
A code reviewer that shows its work.
Most tools hand you a verdict and ask you to trust it. Critiq does the opposite. It points at the exact line, names the rule it broke, and lets you read that rule yourself. That is how review stays transparent and predictable: you inspect the rule behind each finding and know what will catch the same issue next time.
Critiq is an open source command-line reviewer for the code you write every day. It reads your changes against a catalog of explicit rules and reports findings you can trace straight back to the line that triggered them.
There is no model guessing in the background, and nothing leaves your machine. Each rule is a small, inspectable file: open it, read what it looks for, test it against your own code, and tune it until the feedback fits the way your team actually works.
The result is review you can reason about. When Critiq flags something, you know why, and when it stays quiet, that silence means something too.
Inner and outer loop
Review while you write, not only when you open a PR.
Most tools live in the outer loop: they comment after a pull request is open. Critiq is built for the inner loop too, so the same deterministic rules can meet you at the keyboard and follow the change to merge.
You work on a branch while the change is still local. Critiq can meet you before anything is pushed, not only after a pull request exists.
Today, Critiq ships the outer loop through the OSS CLI and GitHub Action, and the inner loop through local MCP, agent skills and a agent plugin.
Inner loop: Branch
Why Critiq OSS
- Open source
- The CLI and the rules catalog are public. Read the source behind every check.
- Runs where you do
- Scan locally, in CI, or through the GitHub Action. Same rules, same output.
- Readable rules
- No black box. Every finding maps to a rule you can open, test, and change.
Automated code reviews that actually help.
Critiq surfaces findings where you already work, in the diff, with a clear rule and a fix you can apply before merge.
- Actionable suggestions tied to real rules, not vague AI guesses.
- Consistent standards across your team and CI.
- Faster reviews that still respect craft and context.
src/user/auth.ts
export function signSession(user: User) {- const secret = "sk_live_7f3a9c2e1b4d";+ const secret = process.env.SESSION_SIGNING_SECRET; return jwt.sign({ sub: user.id }, secret); }critiq.dev
Hights.security.hardcoded-credentialsRule `ts.security.hardcoded-credentials`: avoid literal secrets in source. Load signing keys from environment or your secrets manager.
What ships in OSS
Rules you can read, test, and trust.
The public @critiq/rules catalog is free and open source. Every finding maps to a YAML rule you can open, validate, and run locally with the same output in CI.
- TypeScript
- JavaScript
- Python
- Java
- Go
- Ruby
- Rust
- PHP
Open source
435+ rules in the public catalog
Curated checks across security, correctness, performance, and quality. Security rules cite CWE and OWASP references where relevant, with framework packs for React, Django, Spring, Rails, and more.
- 8 languages
- Polyglot source analysis
- 435+ rules
- In @critiq/rules today
Security
Injection, auth gaps, unsafe execution, SSRF, weak crypto, and framework misconfigurations.
Correctness
Logic footguns, async mistakes, empty catches, and language-specific correctness patterns.
Performance
Hot-loop allocations, redundant fetches, unbounded concurrency, and render-path inefficiencies.
Quality
Maintainability smells, testing hygiene, and consistency rules that keep reviews calm and actionable.
Open source repos
12 export function signSession(user: User) {
13- const secret = "sk_live_7f3a9c2e1b4d";
Literal secret committed to source. Load the signing key from the environment so it never lands in git history.
Suggested change
+ const secret = process.env.SESSION_SIGNING_SECRET;
Commit suggestionts.security.hardcoded-credentials
14 return jwt.sign({ sub: user.id }, secret);
uses: critiq-dev/critiq-action@v1
Runs in your pipeline
The same rules on every pull request.
Add the official GitHub Action and Critiq reviews each pull request automatically: it installs the CLI, runs the checks, and posts findings where your team already reviews code.
- Inline review comments land on the exact changed lines in the diff.
- Findings are deduplicated so repeat commits on a pull request do not post the same comments again.
- Severity gates can block a merge on the issues you actually care about.
- No hosted account required. The action runs the open source CLI and rules.
Questions, answered
What developers ask before installing.
Straight answers about what Critiq is, how it runs locally, and how it differs from AI review tools.
See all FAQsnpx critiq check .
Run the CLI. Inspect the rules. Decide from the output.
Start with the docs: install the CLI, run your first scan, and read the rules behind every finding.