
- guides
Your first critiq check: reading pretty output like a senior review
Run critiq check locally: install the OSS CLI, read pretty and JSON output, and triage severity, rule IDs, and fixes like a senior review.
Read articleOpen source
Run npx @critiq/cli check in any repo. Critiq prompts you to install the public rules catalog when it is missing, then prints findings you can trace to inspectable rules.
# prompts to install @critiq/rules when missing (interactive)npx @critiq/cli check .critiq v1.0.0 @critiq/rules · 435 rules loadedscanning 128 files ............ done (1.2s)src/api/session.ts:9 high ts.security.hardcoded-credentials Literal secret in source. Load it from the environment.src/db/users.ts:24 high ts.security.sql-interpolation User input concatenated into SQL. Use a parameterized query.src/lib/price.ts:5 med ts.correctness.use-number-is-nan2 high · 1 medium across 3 files# critiq rules explain <id> to read any ruleQuickstart
Start with npx @critiq/cli check from any repository. In an interactive terminal, Critiq detects your package manager and prompts you to install @critiq/rules when the catalog is missing. You can also Pin both packages for CI and non-interactive runs.
No account and no upload. Critiq reads your files and prints findings in the terminal.
npx @critiq/cli check .npm install -D @critiq/cli @critiq/rulesWhat it checks
The public @critiq/rules catalog spans security, correctness, performance, and quality, with framework packs for the stacks you already use.
How it works
Start with npx @critiq/cli check .. Critiq prompts to install @critiq/rules when needed, or pin npm install -D @critiq/cli @critiq/rules for CI.
npx @critiq/cli check .Point Critiq at your repo, a diff against main, or just your staged changes.
critiq check .Every finding prints a rule id you can open and inspect, with references and the fix it expects.
critiq rules explain ts.security.sql-interpolationEmit JSON or SARIF and fail the build on the severities your team actually cares about.
critiq check . --format sarif --fail-on highHigh-value rules
A look at rules that catch real bugs before they ship. Each one is a small file you can open, test, and tune.
8 export function signSession(user: User) {9- const secret = "sk_live_7f3a9c2e1b4d";9+ const secret = process.env.SESSION_SIGNING_SECRET;10 return jwt.sign({ sub: user.id }, secret);Surfaces literal secrets in source so signing keys never land in git history.
ts.security.hardcoded-credentialsView this ruleCLI reference
The CLI runs the same rules locally and in CI. Switch tabs to see the commands your team will reach for most.
Scan a directory with the configured rules catalog.
critiq check src/Run npx @critiq/cli check, install the rules catalog when prompted, and open the rules behind each finding.