Configuring Code Review Doctor

Code Review Doctor checks over 70 security, performance, and maintainability problems.

This can be customized using a pyproject.toml file: add it to the root of your project and specify some check codes in enable and disable, like the examples below.

View the list of check codes here.
What is a pyproject.toml file? Read here.

Examples of Code Review Doctor pyproject.toml configuration

Example 1: Disable one check



disable = ["redundant-settings"]

Example 2: Disable multiple checks



disable = ["redundant-settings", "missing-hsts-subdomain"]

Example 3: Disable everything except x



disable = ["all"]

enable = ["redundant-settings", "missing-hsts-subdomain"]

Example 4: Targeting sub-directories and ignoring folders



directories = ["my_app_one", "my_app_two"]

ignore = ["my_app_one/tests", "my_app_two/tests"]

Check codes

Use these codes in the enable and disable section of your pyproject.toml file to customize the checks that Code Review Doctor performs.

django-version-supportDjango version is not maintained
django-minor-versionDjango bug fixes and additional features available
nullable-string-fieldNullable string field
tall-modelTall Model
redundant-default-argsRedundant default arguments
field-null-not-blankField allows null but not blank
brittle-unique-forBrittle unique_for
missing-related-nameForeignKey missing related_name
huge-max-lengthCharField with huge max_length
deprecated-nullboolean-fieldDeprecated NullBooleanField
non-unique-primaryNon-unique primary_key
model-method-orderModel method order
model-common-prefixTall with a common prefix
middleware-orderMiddleware order
template-dir-relativeRelative path in TEMPLATES setting
template-dir-backslashBack slashes in TEMPLATES settings
middleware-order-endMiddleware should be near the end
middleware-order-topMiddleware should be near the top
redundant-settingRedundant setting
direct-import-settingsImporting setting file directly
missing-security-middlewareSecurity middleware not activated
missing-xframe-middlewareClickjacking protection not activated
missing-csrf-middlewareCross Site Request Forgery protection not activated
missing-hsts-middlewareHTTP Strict Transport Security protection not activated
missing-hsts-subdomainUse HSTS for subdomainsd
missing-secure-content-type-nosniffBrowser can be tricked into executing uploaded malicious code
missing-secure-ssl-redirectUse HTTPS
missing-session-cookie-secureSession cookie is vulnerable to packet sniffing attack
missing-session-cookie-http-onlySession cookie is vulnerable to XSS attack
missing-csrf-secureCross Site Request Forgery protection weak to packet sniffing
missing-hsts-preloadUse HSTS browser preload
checking-settings-debugUsing settings.DEBUG as a feature flag hinders testing
misplaced-admin-classAdmin class not in
non-unique-url-nameURL name not unique
reverse-lazy-misuseUsing reverse_lazy where reverse would be better
hard-coded-urlHard-coded URL in template
hard-coded-static-urlHard-coded static asset URL in template
migration-model-importImporting into migrations
missing-reverse-migrationMissing reverse migration
queryset-lengthUsing len(queryset) instead of queryset.count()
indirect-foreign-keyNot using foreign keys directly
count-instead-existsComparing queryset.count() instead of checking queryset.exists()
truthy-instead-existsChecking queryset truthiness instead of checking queryset.exists()
inefficient-order-by-randomRandom ordering via order_by("?")
await-async-callMissing await in coroutine call
inheriting-from-objectUnnecessary inheriting from object
multiple-isinstance-callsMultiple isinstance calls
multiple-issubclass-callsMultiple issubclass calls
class-method-missing-clsMissing cls in class method
primative-identity-checkingComparing primitives with identity checking
singleton-equality-checkingComparing singleton primitives with equality checking
freeze-dataclassesUsing mutable dataclass
avoid-deprecated-testcase-aliasesAvoid deprecated TestCase method aliases
avoid-misusing-assert-trueAvoid misusing assertTrue in tests
avoid-missing-commaAvoid implicit string concatenation
avoid-named-tupleUse dataclass instead of NamedTuple
redundant-super-argsUnnecessary arguments in super call
avoid-redundant-f-stringRedundant f-string
avoid-redundant-lambda-definitionRedundant lambda definitions
avoid-redundant-list-comprehensionAvoid redundant list comprehension
avoid-static-if-conditionAvoid expressions that always evaluate to the same value
use-type-identifiersUse type identifiers instead of string type hints
use-optionalUse Optional instead of Union
use-comprehensionUse list and dict comprehension instead
use-comprehensionUse literals instead of calling list/set/dict
use-assert-inUse AssertIn when performing inclusion tests
use-assert-is-not-noneUse AssertIsNotNone when checking against None
use-f-stringUse f-string instead of legacy string formatting
compare-optional-against-noneExplicitly compare Optional variables against None
exception-handler-orIncorrectly using or in exception handling
no-breakpointAvoid committing breakpoints
probably-meant-tupleMissing trailing comma in tuple
probably-meant-not-tupleAvoid accidental tuples
use-json-loadUse json.load to read a JSON file
use-json-dumpUse json.dump to write JSON to file
no-unclosed-filesAlways close files when finished with them
no-unsupported-file-operationOpen files with correct mode flags
no-operation-after-closeDon't try reading or writing closed files
use-file-encoding-readSpecify text encoding when reading files
use-file-encoding-writeSpecify text encoding when writing files
no-incorrect-file-encoding-readUse correct file encoding
duplicate-test-namesUse unique names for tests
probably-meant-fstringMissing f prefix in f-string

Are you ready to improve your team agility through lower tech debt? Add Code Review Doctor to GitHub.