ALN043: You can only import things from a Component public module, see: https://www.notion.so/alaninsurance/Modular-monolith-a9d84f1318d34115bbd08b3648e5a587 ⧉", |
3 |
| ALN037: @property are not serialized by dataclass_json. If not a problem for your use case, please ignore (# noqa: ALN037). "See this Notion page: https://www.notion.so/alaninsurance/Dataclass-the-good-parts-8f387ec2a8e24a55af294237b97dc210#a611a9154af448a38e552c61415169df ⧉ |
2 |
| ALN077: Check for usage of backref in SQLAlchemy relationships and suggest using back_populates instead. |
2 |
| ALN083: Flake8 plugin to check ProfileService constructor usage. |
1 |
| ALN089: pytest fixtures with autouse=True in conftest.py files can have unwanted side-effects as they will be used in any tests in the subfolders and can inadvertently use other fixtures that add functionality. Instead, mark tests that need the fixture explicitly with @pytest.mark.usefixtures("fixture_name") or use the fixture as a parameter. |
1 |
ALN103: Do not put secrets on a hardcoded custom-scheme deep link. Custom URL schemes (alanmobile://, alanbemobile://, alanesmobile://) can be registered by any app on the device, which can then hijack the link and read everything in it. So a secret query parameter on such a link can leak to a malicious app → token theft / account takeover. This guard only flags hardcoded string/f-string literals that carry both a custom scheme and a forbidden query parameter — the one pattern that is custom scheme in every environment (it bypasses DEEP_LINK_BASE_URL, which is https in prod). The build_deep_link(query_args={"token": ...}) path is intentionally not flagged: it resolves to an https Branch/Universal Link in prod. Bad: deeplink = f"alanmobile://impersonate/?user_id={uid}&admin_token={token}" Good: url = build_url(key, base_url=current_config["FR_FRONT_END_BASE_URL"], query_args={"token": token}) # https://link.alan.com/ ⧉... Known gaps (rare, accepted): string concatenation with + across literals, and a forbidden param injected only through an interpolated variable (e.g. f"alanmobile://{href}") are not statically visible. |
2 |