Interlace ESLint
ESLint Interlace
Advanced Topics

Fixable vs. Non-Fixable Rules

Understanding why some security issues can be auto-fixed while others require human judgment, and how AI is changing this landscape

Fixable vs. Non-Fixable Rules

The Gist: A missing semicolon has one fix. A SQL injection has five. That's why security rules suggest fixes for AI assistants instead of auto-applying them.

Quick Summary
🟢 FixableWeak crypto → stronger algo (unambiguous)
🟡 SuggestibleSQL injection → parameterized query (context-dependent)
🔴 Non-FixableAuth bypass → business logic (human judgment)
AI RoleParse structured errors → propose fix → human approves

AI-First Thinking: Interlace rules are designed with LLM assistance in mind. Our error messages are structured to help AI coding assistants understand and fix issues correctly.

Why Can't All Rules Auto-Fix?

Auto-fixing security issues is fundamentally different from fixing style issues. A missing semicolon has exactly one correct fix. A SQL injection vulnerability has many possible fixes, and the right one depends on your specific context.

The Three Categories

Fixable Rules

These have a single, unambiguous correct fix that doesn't change program behavior.

Examples:

  • Upgrading deprecated crypto algorithms (MD5SHA-256)
  • Adding missing security headers with safe defaults
  • Converting var to const in secure contexts
// Before (auto-fixable)
crypto.createHash('md5');

// After
crypto.createHash('sha256');

Suggestible Rules

We can provide a suggested fix, but it might need adjustment for your specific use case.

Examples:

  • SQL injection → suggest parameterized query syntax
  • XSS → suggest encoding function
  • JWT → suggest proper verification options
// Detected issue
db.query(`SELECT * FROM users WHERE id = ${userId}`);

// Suggested fix (may need schema adjustment)
db.query('SELECT * FROM users WHERE id = $1', [userId]);

Suggestions are included in error messages for AI assistants to interpret, not applied automatically.

Non-Fixable Rules

These require understanding business logic, data flow, or architectural decisions that static analysis cannot determine.

Examples:

  • Authorization bypass vulnerabilities
  • Race conditions
  • Business logic flaws
  • Complex data flow issues
// Non-fixable: Is the admin check intentionally missing?
async function deleteUser(userId) {
  // Should there be authorization here?
  await db.delete('users', userId);
}

How AI Assistants Use Our Messages

Interlace rules are designed to be LLM-optimized. Every error message includes structured information that AI coding assistants can parse:

error 🔒 CWE-89 OWASP:A03 CVSS:9.8 | SQL Injection | CRITICAL
  → Untrusted input in query string at line 42
  💡 Fix: Use parameterized queries: db.query($1, [value])
  📚 See: https://interlace.dev/docs/pg/rules/no-sql-injection

What Makes It LLM-Optimized?

📋 Structured Metadata

CWE, OWASP, and CVSS tags help AI understand severity and category.

💡 Inline Suggestions

Fix patterns are embedded in the message for AI to extract and adapt.

📚 Documentation Links

Direct links to detailed explanations and examples.

🎯 Context Awareness

Messages reference the specific API and pattern detected.

Comparison: Traditional vs. AI-First

AspectTraditional PluginsInterlace (AI-First)
Error FormatPlain text messageStructured with CWE/OWASP/CVSS
Fix GuidanceGeneric advice or noneInline fix patterns
AI CompatibilityRequires interpretationDesigned for LLM parsing
Severitywarn/error onlyCVSS scores for prioritization

The Future: AI-Assisted Fixes

With LLM coding assistants (GitHub Copilot, Claude, Cursor), the line between "fixable" and "non-fixable" is blurring:

ESLint Detects Issue

Interlace identifies a potential SQL injection and provides structured error data.

AI Understands Context

The LLM reads the error message, understands it's a CWE-89 SQL Injection with CVSS 9.8.

AI Proposes Fix

Using the inline suggestion pattern and your codebase context, the AI generates an appropriate fix.

Human Reviews

You review and approve the AI-generated fix, maintaining control over your codebase.

⚡ Maximizing AI Fix Success

What To DoWhy
Use GPT-4/Claude 3+Best at parsing structured CWE/CVSS errors
Enable real-time lintingAI gets context about exact error location
Always review AI fixesVerify fit for your specific use case
Report false positivesHelp us improve detection accuracy

🔗 Next Steps

🔍 Static Analysis

What ESLint can and cannot detect

🚀 Getting Started

Set up Interlace in 2 minutes

📊 Benchmarks

Performance comparison with alternatives

📚 Further Reading

API Response Security

Understanding how to prevent sensitive data exposure in API responses across Express, NestJS, and other Node.js frameworks

Overview

Comprehensive security rules with full OWASP Top 10 Web & Mobile coverage

On this page

Fixable vs. Non-Fixable RulesWhy Can't All Rules Auto-Fix?The Three CategoriesFixable RulesSuggestible RulesNon-Fixable RulesHow AI Assistants Use Our MessagesWhat Makes It LLM-Optimized?Comparison: Traditional vs. AI-FirstThe Future: AI-Assisted FixesESLint Detects IssueAI Understands ContextAI Proposes FixHuman Reviews⚡ Maximizing AI Fix Success🔗 Next Steps📚 Further Reading