Quality Checklist

GitAuto evaluates every source file against 44 individual checks organized into 9 categories. Each check is scored as "pass" (the test covers this concern), "fail" (the test should cover this but does not), or "na" (not applicable to this file). This page lists every check in the checklist.

Not every check applies to every file. A backend utility has no accessibility or SEO concerns. A pure computation function has no event listeners to clean up. The evaluator marks inapplicable checks as "na" so they do not penalize the score. For details on how scores are calculated and how change detection works, see Quality Check Scoring.

1. Integration (3 checks)

Verifies that tests go beyond mocks to exercise real external dependencies such as databases, APIs, and file systems.

• DB operations use real test DB - tests for data-access methods use real test database infrastructure (in-memory DB, test containers) instead of only mocking queries
• API calls tested end to end - tests for API wrappers make real HTTP calls against test servers or sandbox environments, not just mock responses
• Env var guards for secrets - integration tests that require secrets use environment variable guards so they skip gracefully when credentials are unavailable

2. Business Logic (5 checks)

Verifies that tests exercise the core business rules and domain-specific behavior of the code, not just its technical correctness.

• Domain rules - tests enforce business rules specific to the domain (e.g., pricing tiers, eligibility criteria, validation constraints)
• State transitions - tests verify that objects move through valid states and reject invalid transitions
• Calculation accuracy - tests confirm numeric computations produce correct results, including rounding, currency, and precision
• Data integrity - tests ensure data consistency across operations (e.g., totals match line items, foreign keys remain valid)
• Workflow correctness - tests validate multi-step processes execute in the correct order with correct side effects

3. Adversarial (7 checks)

Checks whether tests probe the code with unexpected, malformed, or extreme inputs that real-world usage and attackers will produce.

• Null and undefined inputs - tests pass null, undefined, or missing values to every input that could receive them
• Empty strings and arrays - tests verify behavior when strings are empty and arrays/collections have zero elements
• Boundary values - tests exercise minimum, maximum, zero, negative, and off-by-one values for numeric and sized inputs
• Type coercion - tests pass values of unexpected types (string where number expected, object where array expected) to verify handling
• Large inputs - tests provide oversized strings, deeply nested objects, or arrays with thousands of elements
• Race conditions - tests verify correct behavior under concurrent access, parallel execution, or rapid repeated calls
• Unicode and special characters - tests include emoji, RTL text, null bytes, control characters, and multi-byte sequences

4. Security (10 checks)

Evaluates whether tests attempt common attack vectors against the code to verify it rejects malicious input.

• XSS - tests inject script tags, event handlers, and encoded payloads into user-facing outputs
• SQL injection - tests pass SQL fragments, quotes, and UNION statements through inputs that reach database queries
• Command injection - tests include shell metacharacters, pipes, and backticks in inputs that reach system command execution
• Code injection - tests attempt to inject executable code through eval, template literals, or dynamic imports
• CSRF - tests verify that state-changing operations require valid tokens or origin verification
• Auth bypass - tests attempt to access protected resources without credentials or with expired/invalid tokens
• Sensitive data exposure - tests confirm that passwords, tokens, and PII are not leaked in logs, responses, or error messages
• Untrusted input sanitization - tests verify that all external input is sanitized before use in rendering, queries, or commands
• Open redirects - tests pass external URLs to redirect parameters and verify they are rejected or restricted to allowed domains
• Path traversal- tests use "../" sequences, absolute paths, and encoded slashes to attempt file system escapes

5. Performance (5 checks)

Identifies whether tests detect code patterns that degrade performance at scale, even if they work correctly on small inputs.

• Quadratic algorithms - tests run the code with large enough inputs to expose O(n^2) or worse complexity that is hidden by small test data
• Heavy synchronous operations - tests verify that long-running computations, file I/O, or network calls do not block the main thread or event loop
• N+1 queries - tests confirm that operations on collections use batch queries rather than issuing one query per item
• Large imports - tests verify that importing the module does not pull in unnecessarily large dependencies that slow startup
• Redundant computation - tests check that repeated calls with the same input use caching or memoization rather than recomputing

6. Memory (4 checks)

Checks whether tests verify proper resource cleanup to prevent memory leaks in long-running applications.

• Event listener cleanup - tests verify that event listeners added during setup are removed during teardown or component unmounting
• Subscription and timer cleanup - tests confirm that subscriptions, intervals, and timeouts are cleared when no longer needed
• Circular references - tests check that object graphs do not create reference cycles that prevent garbage collection
• Closure retention - tests verify that closures do not capture and retain large objects beyond their useful lifetime

7. Error Handling (2 checks)

Evaluates whether tests verify that the code fails gracefully and communicates errors clearly to users.

• Graceful degradation - tests trigger error conditions (network failures, missing files, invalid data) and verify the code recovers or fails safely without crashing
• User error messages - tests confirm that error messages shown to users are helpful, do not expose internal details, and guide toward resolution

8. Accessibility (4 checks)

Checks whether tests verify that UI components are usable by people with disabilities, following WCAG guidelines.

• ARIA attributes - tests verify that interactive elements have correct ARIA roles, labels, and states for assistive technology
• Keyboard navigation - tests confirm that all interactive elements are reachable and operable using only the keyboard
• Screen reader support - tests check that content is announced correctly by screen readers, including live regions and status updates
• Focus management - tests verify that focus moves logically through the interface, especially after modals, route changes, and dynamic content updates

9. SEO (4 checks)

Evaluates whether tests verify that pages produce correct metadata and semantic markup for search engine indexing.

• Meta tags - tests verify that pages render correct title, description, Open Graph, and Twitter Card meta tags
• Semantic HTML - tests check that pages use appropriate HTML5 semantic elements (header, main, nav, article, section) rather than generic divs
• Heading hierarchy - tests verify that headings follow a logical h1 through h6 hierarchy without skipping levels
• Alt text - tests confirm that all images have descriptive alt attributes for search engines and accessibility

Related Features

• Quality Check Scoring - explains how individual check results are aggregated into scores and how change detection avoids redundant evaluation
• What 100% Test Coverage Can't Measure - blog post explaining why these checks exist and what coverage alone misses
• Coverage Enforcement - enforces line, branch, and function coverage targets before quality checks run
• Untestable Detection - identifies code that cannot be meaningfully tested, preventing false quality gaps
• Your Prompt Is Not Enough. Add a Gate. - why prompt instructions alone fail and programmatic gates enforce what prompts suggest