Examples - CodeAnt AI

The following examples provide targeted custom prompts that can be integrated into your AI-powered PR review workflows. Our customers find these particularly helpful for their repos across frameworks like Spring Boot and React. Use these as templates or extend them to align with your team’s coding standards and architectural principles.

React

## Direct DOM Manipulation
Flag any use of `document.getElementById`, `querySelector`, `innerHTML`, or other direct DOM APIs inside React components (including in `useEffect`), since React’s virtual DOM and refs should be used instead.

## Excessive Inline Styles
Flag JSX elements with large objects in `style={{…}}`—especially when reused—rather than defining CSS classes or styled-components for maintainability and performance.

## Uncontrolled to Controlled Component Switch
Flag components that change from uncontrolled (no `value` prop) to controlled (with `value`) between renders, which can lead to React warnings and inconsistent state.

## Stale Closures in Hooks
Flag cases where callbacks inside `useEffect` or `useCallback` reference state/props without listing them in the dependency array, as this causes outdated values to be used.

Angular

## Direct DOM Access Bypassing Angular Renderer
Flag any `document.querySelector`, `element.nativeElement`, or jQuery usage in components—instead use `Renderer2` or Angular’s template bindings to stay framework-compliant.

## Overuse of `any` in TypeScript
Flag function parameters or variables typed as `any` throughout services or components, which defeats Angular’s compile-time type safety.

## Putting Business Logic in Templates
Flag complex expressions or loops in the HTML template (e.g., `*ngIf="computeSomething(x)"`), which should be moved into the component class for readability and testability.

## Missing Subscription Cleanup
Flag subscriptions to `Observables` in `ngOnInit` that are not unsubscribed in `ngOnDestroy`, leading to memory leaks in long‐running applications.

Vue.js

## Mutating `props` Directly
Flag any assignment to a prop inside a child component (e.g., `this.propValue = ...`), which should instead be emitted back to the parent or copied to local data.

## Using `$forceUpdate` to Bypass Reactivity
Flag instances of `this.$forceUpdate()` or manually triggering watchers instead of fixing the reactive data flow.

## Logic-heavy Templates
Flag templates containing complex JavaScript (e.g., inline methods or filters doing heavy computation)—move that logic into computed properties or methods in the component script.

## Unremoved Watchers and Event Listeners
Flag watchers or `$on` event handlers set up in `mounted()` that aren’t properly torn down in `beforeDestroy()`, which can cause memory leaks.

Django

## Hardcoded Secrets in Settings
Flag any API keys, database passwords, or tokens hardcoded in `settings.py` instead of using environment variables (`os.getenv`) or a secrets manager.

## Raw SQL without Parameterization
Flag any `cursor.execute(f"SELECT … {user_input}")` usage—instead use Django’s ORM or `cursor.execute("… WHERE x = %s", [user_input])` to prevent SQL injection.

## Mass Assignment on Forms or Models
Flag `Model.objects.create(**request.POST)` or `form.save(commit=True)` without specifying `fields` or using `cleaned_data`, which can expose unintended fields.

## Unvalidated File Uploads
Flag file upload handlers (e.g., `request.FILES['file']`) that don’t check file type or size before saving, exposing the app to malicious uploads.

Spring Boot

## Hardcoded Secrets or Credentials
Flag API keys, passwords, or tokens hardcoded in `.java` or `.properties` files.

## SQL Injection via Unparameterized Queries
Flag dynamic SQL built using string concatenation or user inputs without parameter binding.

## Command Injection via Runtime Execution
Flag use of `Runtime.exec()` or `ProcessBuilder` with unsanitized user inputs.

## Insecure Deserialization
Flag uses of `ObjectInputStream.readObject()` on untrusted input sources.

## Unvalidated Input in Controllers
Flag missing validation annotations (`@Valid`, `@NotNull`, etc.) on `@RequestBody`, `@PathVariable`, or `@RequestParam` parameters.

Express.js

## Missing Error Handling in Async Routes
Flag `async` route handlers without `try/catch` or a wrapper to forward errors to `next()`, which can cause unhandled promise rejections.

## Unvalidated `req.body` and `req.params`
Flag any use of user inputs directly (e.g., `User.find(req.params.id)`) without schema validation via Joi, express-validator, or similar.

## Use of `eval()` or `Function()` Constructors
Flag any `eval()` calls or dynamic function creation from user inputs, as they enable arbitrary code execution.

## Insecure Cookie Configuration
Flag cookies set without `HttpOnly`, `Secure`, or proper `SameSite` attributes in `res.cookie()` calls.

Laravel

## Mass Assignment without `$fillable` or `$guarded`
Flag `Model::create($request->all())` when the model doesn’t declare safe `$fillable` fields.

## Raw Queries without Bindings
Flag `DB::select("SELECT … WHERE id = $id")`—use parameter binding (`?` or named bindings) or Eloquent methods to avoid SQL injection.

## Missing CSRF Protection
Flag forms or AJAX routes lacking `@csrf` in Blade templates or `$request->validate()` in controllers.

## Committed `.env` with Secrets
Flag any project commits that include the `.env` file containing database credentials or API keys.

Ruby on Rails

## Mass Assignment via `params` without Strong Parameters
Flag controllers using `Model.create(params[:model])` without whitelisting via `params.require(:model).permit(...)`.

## N+1 Query Patterns
Flag view or controller code like `@users.each { |u| u.posts.count }` instead of eager loading with `includes(:posts)`.

## Skipping Model Validations
Flag calls to `save(validate: false)` or `update_column` that bypass ActiveRecord validations.

## Unhandled Exceptions in Callbacks
Flag `after_save` or `before_destroy` callbacks without error handling, which can break request flows.

ASP .NET Core

## Dynamic SQL via String Interpolation
Flag any `context.Database.ExecuteSqlRaw($"…{userInput}…")` or concatenated SQL strings—instead use parameterized queries.

## Missing Anti-Forgery Token Validation
Flag POST actions without `[ValidateAntiForgeryToken]` when using Razor Pages or MVC forms.

## Exposing Sensitive Data in ViewBag/ViewData
Flag passing secrets or tokens through `ViewBag` or `ViewData` for use in Razor views.

## Improper CORS Configuration
Flag overly permissive CORS policies in `AddCors` (e.g., `AllowAnyOrigin`) that expose APIs unintentionally.

PySpark

## Calling `collect()` on Large RDDs/DataFrames
Flag any `df.collect()` or `rdd.collect()` on datasets >100K records, which can OOM the driver—use `take()` or write to storage instead.

## User-Defined Functions (UDFs) over Built-ins
Flag use of `udf(myFunc)` for simple operations that Spark already optimizes (e.g., string, date functions)—opt for Spark SQL functions.

## Joins without Broadcast for Small Tables
Flag large DataFrame `.join(smallDf, on, "left")` without using `broadcast(smallDf)`, leading to skewed shuffles.

## Caching Too Early or Too Much
Flag `.cache()` on DataFrames before pruning unnecessary columns or filtering, which wastes executor memory.

Meteor

## Overusing `autopublish` Package
Flag projects where `autopublish` is not removed, exposing all collections to the client by default.

## Insecure `allow/deny` Rules
Flag any `Collection.allow({ ... })` or `deny` settings permitting broad inserts/updates without checking `this.userId` or document ownership.

## Publishing Excessive Fields
Flag publications that return whole documents (e.g., `return Collection.find()`) instead of selective fields to minimize data exposure.

## Unchecked Meteor Method Inputs
Flag Meteor methods that access `this.userId` but do not validate or sanitize the `args` object, inviting injection attacks.

Svelte

## Direct DOM API Usage
Flag any `document.querySelector`, `addEventListener`, or manual DOM updates inside components—instead use Svelte’s reactive bindings.

## Mutable Store Updates without `update()`
Flag direct assignments to store values (e.g., `myStore.set = …`) rather than using `myStore.update(...)`, which can break reactivity.

## Heavy Computation in Markup
Flag long-running loops or calculations in the template (e.g., `{#each bigArray.map(...) as item}`)—move logic into a `<script>` reactive statement.

## Uncleaned Subscriptions on Destroy
Flag stores or event subscriptions created in `onMount()` that are not unsubscribed in `onDestroy()`, causing memory leaks.

Get Started