Starter Rules
comply init creates a .comply.yml with nine starter rules. This page documents each one.
All nine rules
| Name | Type | on_fail | What it checks |
|---|---|---|---|
no-print-statements | regex | fail | No print() calls in added lines |
no-hardcoded-secrets | regex | fail | No inline passwords, API keys, or secrets |
no-todo-in-pr | regex | warn | No new TODO comments introduced |
missing-docstring | ast | warn | New functions and classes have docstrings |
no-bare-except | ast | warn | No bare except: clauses |
no-eval-usage | ast | fail | No calls to eval() or exec() |
has-test-coverage | llm | warn | New behavior is accompanied by tests |
single-responsibility | llm | warn | PR represents a single, coherent concern |
meaningful-variable-names | llm | warn | Variable names are descriptive, not single-letter |
Rule details
no-print-statements
- name: no-print-statements
description: No print() calls in committed code
type: regex
pattern: '^\+.*\bprint\s*\('
match: false
on_fail: fail
Blocks print() calls in any added line. Use a logger instead.
no-hardcoded-secrets
- name: no-hardcoded-secrets
description: No hardcoded credentials or secrets
type: regex
pattern: "^\\+.*(password|secret|api_key|token)\\s*=\\s*[\"']\\w{8,}"
match: false
on_fail: fail
Detects assignment of string literals to common credential variable names.
no-todo-in-pr
- name: no-todo-in-pr
description: New TODO comments should not be introduced in PRs
type: regex
pattern: '^\+.*#\s*TODO'
match: false
on_fail: warn
Warns when a # TODO comment is added. Existing TODOs are unaffected.
missing-docstring
- name: missing-docstring
description: New functions and classes should have docstrings
type: ast
check: missing_docstring
on_fail: warn
Flags new or modified Python functions and classes without a docstring.
no-bare-except
- name: no-bare-except
description: Bare except clauses catch everything including SystemExit
type: ast
check: bare_except
on_fail: warn
Bare except: catches KeyboardInterrupt and SystemExit, which is almost never intended.
no-eval-usage
- name: no-eval-usage
description: eval() and exec() are security risks
type: ast
check: eval_usage
on_fail: fail
Blocks eval() and exec(). These execute arbitrary code and are a common injection vector.
has-test-coverage
- name: has-test-coverage
description: New features should include tests
type: llm
prompt: |
Review this diff. If new functions, classes, or significant logic is added,
check whether corresponding tests are also present in the diff.
Answer YES if tests exist or no new logic was added. Answer NO otherwise.
on_fail: warn
Uses an LLM to evaluate whether the diff's new logic is accompanied by tests.
single-responsibility
- name: single-responsibility
description: Each PR should represent one concern
type: llm
prompt: |
Does this diff represent a single, coherent concern or change?
Or does it mix unrelated changes (e.g., a feature plus a refactor plus a bug fix)?
Answer YES if focused, NO if mixed.
on_fail: warn
Warns when a diff appears to bundle unrelated changes.
meaningful-variable-names
- name: meaningful-variable-names
description: Variable names should be descriptive
type: llm
prompt: |
Look at new variable names introduced in this diff.
Are they descriptive and meaningful, or are they single letters or cryptic abbreviations?
Answer YES if names are acceptable, NO if there are problematic names.
on_fail: warn
Flags single-letter or cryptic variable names introduced in the diff.
Customizing starter rules
After comply init, edit .comply.yml to:
- Change
on_fail: warntoon_fail: failfor rules you want to be blocking - Delete rules that don't apply to your stack
- Add project-specific rules
Next steps
Return to Introduction for a full overview of Comply.