OeditusCredo (OeditusCredo v0.6.1)
View SourceOeditusCredo provides custom Credo checks for detecting common Elixir/Phoenix anti-patterns.
Usage
Add to your .credo.exs:
%{
configs: [
%{
name: "default",
checks: %{
enabled: [
{OeditusCredo.Check.Warning.MissingErrorHandling, []},
{OeditusCredo.Check.Warning.SilentErrorCase, []},
{OeditusCredo.Check.Warning.InefficientFilter, []},
# ... other checks
]
}
}
]
}False Positives
All these checks are somewhat opinionated and might produce false positives.
If a warning does not apply to your specific case, suppress it with
# credo:disable-for-next-line
or any other Credo config comment directive.
General Parameters
All checks support the standard Credo general parameters:
false-- disable the check entirely:{OeditusCredo.Check.Warning.NPlusOneQuery, false}exit_status-- override the exit status for issues from this check (default is16for the:warningcategory). Set to0to make a check advisory-only (still reports issues but won't affect the exit code):{OeditusCredo.Check.Warning.NPlusOneQuery, exit_status: 0}priority-- override the base priority for the check.files-- restrict which files the check runs on.
Available Checks
Error Handling
OeditusCredo.Check.Warning.MissingErrorHandling- Detects{:ok, x} =without error handlingOeditusCredo.Check.Warning.SilentErrorCase- Detects case statements missing error branchesOeditusCredo.Check.Warning.SwallowingException- Detects try/rescue without re-raising or logging
Query & Data Access
OeditusCredo.Check.Warning.NPlusOneQuery- Detects N+1 query patternsOeditusCredo.Check.Warning.InefficientFilter- Detects Repo.all followed by Enum filteringOeditusCredo.Check.Warning.MissingPreload- Detects Ecto queries without proper preloading
Concurrency & Performance
OeditusCredo.Check.Warning.UnmanagedTask- Detects unsupervised Task.async callsOeditusCredo.Check.Warning.SyncOverAsync- Detects blocking operations in LiveView/GenServerOeditusCredo.Check.Warning.MissingHandleAsync- Detects blocking in handle_event without async pattern
Readability
OeditusCredo.Check.Readability.UnnecessaryInterpolatingSigil- Detects~s/~c/~wwithout interpolation (suggests~S/~C/~W)
Code Organization
OeditusCredo.Check.Warning.DirectStructUpdate- Detects struct updates instead of changesetsOeditusCredo.Check.Warning.CallbackHell- Detects chained case statementsOeditusCredo.Check.Warning.BlockingInPlug- Detects blocking operations in Plug functions
LiveView & Templates
OeditusCredo.Check.Warning.MissingThrottle- Detects form inputs without phx-debounce/throttleOeditusCredo.Check.Warning.InlineJavascript- Detects inline JS handlers instead of phx-* bindings
Telemetry & Observability
OeditusCredo.Check.Warning.MissingTelemetryInObanWorker- Detects Oban workers without telemetryOeditusCredo.Check.Warning.MissingTelemetryInLiveViewMount- Detects LiveView mount/3 without telemetryOeditusCredo.Check.Warning.TelemetryInRecursiveFunction- Detects telemetry in recursive functions (anti-pattern)OeditusCredo.Check.Warning.MissingTelemetryInAuthPlug- Detects auth plugs without telemetryOeditusCredo.Check.Warning.MissingTelemetryForExternalHttp- Detects HTTP calls without telemetry
Security Checks (CWE Top 25)
Injection (CWE-89, CWE-78, CWE-94, CWE-79)
OeditusCredo.Check.Security.SQLInjection- Detects string interpolation in Ecto queriesOeditusCredo.Check.Security.OSCommandInjection- Detects user input in System.cmd/os:cmd callsOeditusCredo.Check.Security.CodeInjection- Detects dynamic code execution via Code.eval_stringOeditusCredo.Check.Security.XSSVulnerability- Detects raw/1 with user input in templates
Authentication & Authorization (CWE-306, CWE-862, CWE-863, CWE-639)
OeditusCredo.Check.Security.MissingAuthentication- Detects controllers/routers without auth plugsOeditusCredo.Check.Security.MissingAuthorization- Detects actions without authorization checksOeditusCredo.Check.Security.IncorrectAuthorization- Detects role checks using negation patternsOeditusCredo.Check.Security.InsecureDirectObjectReference- Detects direct DB lookups from user params
Data Protection (CWE-200, CWE-798, CWE-502)
OeditusCredo.Check.Security.SensitiveDataExposure- Detects sensitive fields in JSON/inspect outputOeditusCredo.Check.Security.HardcodedCredentials- Detects hardcoded passwords, API keys, tokensOeditusCredo.Check.Security.UnsafeDeserialization- Detects :erlang.binary_to_term without :safe
Input & File Handling (CWE-20, CWE-22, CWE-434)
OeditusCredo.Check.Security.ImproperInputValidation- Detects missing validation of external inputOeditusCredo.Check.Security.PathTraversal- Detects user input in file paths without sanitizationOeditusCredo.Check.Security.UnrestrictedFileUpload- Detects file uploads without type validation
Web Security (CWE-352, CWE-918)
OeditusCredo.Check.Security.MissingCSRFProtection- Detects API pipelines without CSRF protectionOeditusCredo.Check.Security.SSRFVulnerability- Detects HTTP requests with user-controlled URLs
Race Conditions (CWE-367)
OeditusCredo.Check.Security.TOCTOU- Detects File.exists? followed by file operations