Skip to main content

Open source

The CLI that reviews your code against rules you can read.

Run npx @critiq/cli check in any repo. Critiq prompts you to install the public rules catalog when it is missing, then prints findings you can trace to inspectable rules.

  • Open source
  • Runs locally
  • No black box
bash
# prompts to install @critiq/rules when missing (interactive)npx @critiq/cli check .critiq v1.0.0   @critiq/rules · 435 rules loadedscanning 128 files ............ done (1.2s)src/api/session.ts:9   high   ts.security.hardcoded-credentials  Literal secret in source. Load it from the environment.src/db/users.ts:24     high   ts.security.sql-interpolation  User input concatenated into SQL. Use a parameterized query.src/lib/price.ts:5     med    ts.correctness.use-number-is-nan2 high · 1 medium across 3 files# critiq rules explain <id> to read any rule

Quickstart

Run a scan in under a minute

Start with npx @critiq/cli check from any repository. In an interactive terminal, Critiq detects your package manager and prompts you to install @critiq/rules when the catalog is missing. You can also Pin both packages for CI and non-interactive runs.

No account and no upload. Critiq reads your files and prints findings in the terminal.

bash
npx @critiq/cli check .
bash
npm install -D @critiq/cli @critiq/rules

What it checks

Four lanes of feedback, one transparent catalog.

The public @critiq/rules catalog spans security, correctness, performance, and quality, with framework packs for the stacks you already use.

  • TypeScript
  • JavaScript
  • Python
  • Java
  • Go
  • Ruby
  • Rust
  • PHP
Security
Auth gaps, injection, unsafe execution, SSRF, weak crypto, and framework-specific misconfigurations. Security rules cite CWE and OWASP references where relevant.
Correctness
Logic footguns, async mistakes, empty catches, and language-specific correctness patterns that slip past review.
Performance
Hot-loop allocations, redundant fetches, unbounded concurrency, and render-path inefficiencies.
Quality
Maintainability smells, testing hygiene, and consistency rules that keep reviews calm and actionable.

How it works

From install to a gated pull request.

  1. Run critiq check

    Start with npx @critiq/cli check .. Critiq prompts to install @critiq/rules when needed, or pin npm install -D @critiq/cli @critiq/rules for CI.

    npx @critiq/cli check .
  2. Run a review

    Point Critiq at your repo, a diff against main, or just your staged changes.

    critiq check .
  3. Read the rule

    Every finding prints a rule id you can open and inspect, with references and the fix it expects.

    critiq rules explain ts.security.sql-interpolation
  4. Gate in CI

    Emit JSON or SARIF and fail the build on the severities your team actually cares about.

    critiq check . --format sarif --fail-on high

CLI reference

One binary, every review workflow.

The CLI runs the same rules locally and in CI. Switch tabs to see the commands your team will reach for most.

Scan a directory with the configured rules catalog.

critiq check src/
Read the full CLI reference
npx @critiq/cli check .

Run it locally. Read every rule. Decide from the output.

Run npx @critiq/cli check, install the rules catalog when prompted, and open the rules behind each finding.