Scanner checks

EDITH ships 151 deterministic checks organised into 6 dimensions plus an AI-pattern bucket. Every check has a stable checkId (e.g. security/jwt-in-localstorage) that you can reference from custom rules, the API, and the audit log.

Every check is pure — same input, same finding, every time. We never call an LLM to evaluate your code unless you explicitly opt into a custom rule that requires it.

• Security (48) — auth gaps, secrets in client bundles, SSRF, prototype pollution, JWT issues, CSRF, missing role checks
• Performance (22) — LLM cost-leaks, N+1 queries, layout shifts, useEffect anti-patterns
• Reliability (30) — silent catches, stale closures, floating promises, missing route boundaries
• Data Safety (18) — RLS, PII leakage, schema invariants, GDPR rights endpoints
• Business Logic (18) — webhook idempotency, money flows, tool allowlists, password reset reuse
• Deploy Ready (15) — env vars, lockfile, engines pin, hallucinated imports

On top of the universal checks, EDITH runs a separate AI-pattern bucket tuned to the specific failure modes Cursor / Claude / v0 / Lovable / Bolt produce. See the AI-pattern detection docs for the per-tool rules.

Findings get one of four severities — each subtracts from your score with a different weight:

• Critical (-18) — exploitable, will cause an outage or breach
• High (-9) — likely to bite within a release cycle
• Medium (-4) — worth fixing soon
• Low (-1) — nice-to-have

The score is clamped to 0–100 per dimension, then a weighted average becomes the EDITH score.

Every check is conservative by default — we'd rather miss something than cry wolf. If a finding doesn't apply to your codebase, dismiss it once and EDITH will remember.

Dismissals are per-org and per-checkId-per-file. They survive re-scans. The audit log records every dismissal.