Learn how to define custom rules
Custom rules allow you to enforce your organization’s specific best practices across all pull requests, ensuring consistency and compliance with your team’s established standards.
To define a rule, navigate to the AI review page in cubic and click “Add rule”.
Each custom rule includes:
A Name
A concise title, like “Prevent N+1 Queries” or “Require Sentry Error Handling.”
A Description
A clear, natural-language instruction the AI will use, such as “Flag code that may cause multiple database calls inside loops.”
Be as clear and explicit as possible; the more specific you are, the better the results.
Optional Path Filters
Use Glob patterns to limit where the rule applies (or exclude certain paths). This is especially helpful for monorepos, where different directories often require different rules. For example:
backend/**
to apply the rule only to files under a backend
folder.!tests/**
to ignore test files and focus on production code.Custom rules are defined at the repository level, and will be applied to all pull requests in the repository. This means that you can enforce different custom rules for each repository.
Custom rules help catch deviations that human reviewers might miss, ensuring consistent application of your team’s standards. When a violation of a rule is detected in a pull request, the AI will comment directly on the affected lines.
Code quality and performance
<img>
elements must include meaningful alt text that describes the image content or function. Decorative images should use alt=""
explicitly. This improves accessibility for screen readers and SEO. The alt text should be descriptive and concise, avoiding phrases like “image of” or “picture of.”process.env
access: Direct access to process.env
is prohibited. Use the centralized Env utility from @/lib/env.ts
instead. This ensures type safety, runtime validation, and consistent access patterns for environment variables. The utility also provides proper error handling for missing or invalid environment variables.t()
, useTranslation
, etc.). This includes button labels, headings, error messages, and placeholder text. Raw string literals in JSX or template strings should be replaced with translation keys. Exception: Technical identifiers and logging messages.@/styles/theme.ts
. This ensures consistent branding and supports dark mode.className
prop for styling and avoid the style
prop except for truly dynamic values.console.*
methods. Errors must be properly caught and logged with appropriate severity levels and context. Error boundaries should log uncaught errors. Sensitive information must be redacted from logs using the sanitize utility.aria-label
or aria-labelledby
when text content is not descriptive. Custom controls require proper role and state attributes. Dialog components must manage focus and include proper modal attributes.next/image
component is required with proper width
/height
props to prevent layout shift. Large images should use automatic optimization and lazy loading. Provide multiple sizes for responsive images using srcSet
.Security and compliance
http://
URLs in fetch calls, src attributes, and configuration files. Development localhost URLs are
exempted from this check. - Validate 2FA for protected routes: Routes marked as requiring
two-factor authentication must implement proper 2FA middleware checks. This includes verifying
both primary authentication and valid 2FA status before allowing access. Protected routes should
redirect unauthenticated or 2FA-pending users to appropriate setup flows. - No plain text
passwords in logs: Logging statements must not contain password fields, authentication tokens,
or other credentials. Use the sanitize utility to redact sensitive data before logging. This
applies to error messages, debug logs, and analytics events. Check both direct logging calls and
error serialization.Architecture and design patterns
Language-specific best practices
const
/let
instead of var
for variable declarations.async
/await
over Promise chains for readability.===
) instead of loose equality (==
).any
type; use specific types instead.Optional
instead of returning null
for optional values.StringBuilder
for string concatenation in loops.final
keyword for immutable variables.If your team uses Cursor rules, you can easily import these into cubic by clicking the Sync Cursor Rules button on the AI review page.
cubic will analyze your Cursor rule files, suggest suitable custom rules, and let you select which ones you’d like to enable.
Combine related checks: There’s a limit of 5 rules per repository, but you can combine multiple related checks into a single rule if it makes sense. Grouping semantically similar things together usually works well and helps you stay within the limit.
Leverage path filters in monorepos: When working with monorepos, use Glob patterns to target specific files or folders. The “glob wizard” and “glob testing” tools in the advanced section are super handy for making sure your patterns do exactly what you expect.
Use the auto-suggestion feature: When creating a rule in the UI, look for the little wand icon that can help auto-word your rule if you’re stuck. This can provide a good starting point that you can then refine.
Complement existing tools: Custom rules should focus on checks that standard tools like ESLint or Prettier might miss, such as business logic validations or team-specific conventions.
Overview: Understand how cubic reviews pull requests by default.
Learn how to define custom rules
Custom rules allow you to enforce your organization’s specific best practices across all pull requests, ensuring consistency and compliance with your team’s established standards.
To define a rule, navigate to the AI review page in cubic and click “Add rule”.
Each custom rule includes:
A Name
A concise title, like “Prevent N+1 Queries” or “Require Sentry Error Handling.”
A Description
A clear, natural-language instruction the AI will use, such as “Flag code that may cause multiple database calls inside loops.”
Be as clear and explicit as possible; the more specific you are, the better the results.
Optional Path Filters
Use Glob patterns to limit where the rule applies (or exclude certain paths). This is especially helpful for monorepos, where different directories often require different rules. For example:
backend/**
to apply the rule only to files under a backend
folder.!tests/**
to ignore test files and focus on production code.Custom rules are defined at the repository level, and will be applied to all pull requests in the repository. This means that you can enforce different custom rules for each repository.
Custom rules help catch deviations that human reviewers might miss, ensuring consistent application of your team’s standards. When a violation of a rule is detected in a pull request, the AI will comment directly on the affected lines.
Code quality and performance
<img>
elements must include meaningful alt text that describes the image content or function. Decorative images should use alt=""
explicitly. This improves accessibility for screen readers and SEO. The alt text should be descriptive and concise, avoiding phrases like “image of” or “picture of.”process.env
access: Direct access to process.env
is prohibited. Use the centralized Env utility from @/lib/env.ts
instead. This ensures type safety, runtime validation, and consistent access patterns for environment variables. The utility also provides proper error handling for missing or invalid environment variables.t()
, useTranslation
, etc.). This includes button labels, headings, error messages, and placeholder text. Raw string literals in JSX or template strings should be replaced with translation keys. Exception: Technical identifiers and logging messages.@/styles/theme.ts
. This ensures consistent branding and supports dark mode.className
prop for styling and avoid the style
prop except for truly dynamic values.console.*
methods. Errors must be properly caught and logged with appropriate severity levels and context. Error boundaries should log uncaught errors. Sensitive information must be redacted from logs using the sanitize utility.aria-label
or aria-labelledby
when text content is not descriptive. Custom controls require proper role and state attributes. Dialog components must manage focus and include proper modal attributes.next/image
component is required with proper width
/height
props to prevent layout shift. Large images should use automatic optimization and lazy loading. Provide multiple sizes for responsive images using srcSet
.Security and compliance
http://
URLs in fetch calls, src attributes, and configuration files. Development localhost URLs are
exempted from this check. - Validate 2FA for protected routes: Routes marked as requiring
two-factor authentication must implement proper 2FA middleware checks. This includes verifying
both primary authentication and valid 2FA status before allowing access. Protected routes should
redirect unauthenticated or 2FA-pending users to appropriate setup flows. - No plain text
passwords in logs: Logging statements must not contain password fields, authentication tokens,
or other credentials. Use the sanitize utility to redact sensitive data before logging. This
applies to error messages, debug logs, and analytics events. Check both direct logging calls and
error serialization.Architecture and design patterns
Language-specific best practices
const
/let
instead of var
for variable declarations.async
/await
over Promise chains for readability.===
) instead of loose equality (==
).any
type; use specific types instead.Optional
instead of returning null
for optional values.StringBuilder
for string concatenation in loops.final
keyword for immutable variables.If your team uses Cursor rules, you can easily import these into cubic by clicking the Sync Cursor Rules button on the AI review page.
cubic will analyze your Cursor rule files, suggest suitable custom rules, and let you select which ones you’d like to enable.
Combine related checks: There’s a limit of 5 rules per repository, but you can combine multiple related checks into a single rule if it makes sense. Grouping semantically similar things together usually works well and helps you stay within the limit.
Leverage path filters in monorepos: When working with monorepos, use Glob patterns to target specific files or folders. The “glob wizard” and “glob testing” tools in the advanced section are super handy for making sure your patterns do exactly what you expect.
Use the auto-suggestion feature: When creating a rule in the UI, look for the little wand icon that can help auto-word your rule if you’re stuck. This can provide a good starting point that you can then refine.
Complement existing tools: Custom rules should focus on checks that standard tools like ESLint or Prettier might miss, such as business logic validations or team-specific conventions.
Overview: Understand how cubic reviews pull requests by default.