Code Quality Tools: Why They Miss Security Bugs (And What to Add)
Written by the Rafter Team
Code quality tools enforce consistent style, catch type errors, and flag common bugs — but they were never designed to find security vulnerabilities. A linter will tell you a variable is unused. It will not tell you that a user-supplied string reaches a SQL query without parameterization. The gap between code quality and code security is where attackers operate.
Teams using only code quality tools report 3x more security incidents than those combining quality and dedicated security scanning. Linters catch bugs; they do not catch exploits.
Add security scanning alongside your quality tools — Rafter finds what linters miss.
What Code Quality Tools Actually Catch
Code quality tools fall into several categories, each targeting a specific class of defect:
Linters (ESLint, Pylint, RuboCop) enforce coding standards and flag stylistic issues, unused imports, unreachable code, and simple anti-patterns. They operate on individual files with minimal cross-file awareness.
Type checkers (TypeScript, mypy, Sorbet) verify that values conform to declared types. They catch null reference errors and type mismatches but have no concept of trusted versus untrusted data.
Formatters (Prettier, Black, gofmt) standardize whitespace, indentation, and syntax. They improve readability but perform no semantic analysis.
Complexity analyzers (SonarQube quality gates, Code Climate) measure cyclomatic complexity, duplication, and test coverage. High complexity correlates with bugs, but the tools do not identify which bugs are exploitable.
These tools improve maintainability. They reduce defect rates. They do not protect your application from attack.
Where Code Quality Tools Fall Short on Security
Security vulnerabilities are semantic, not syntactic. A SQL injection is perfectly valid code — it compiles, passes type checks, and conforms to every style rule. The flaw is in the data flow: untrusted input reaching a query without sanitization. Detecting this requires taint analysis that tracks data across function boundaries, files, and modules.
Code quality tools lack this capability because they were not built for it. Specific blind spots include:
- Injection vulnerabilities — no tracking of user input through to database, shell, or template sinks
- Broken access control — no awareness of authentication or authorization middleware
- Hardcoded secrets — quality tools ignore string literal content
- Insecure dependencies — no CVE database lookups against your dependency tree
- Cryptographic misuse — weak algorithms and static keys pass all quality checks
Even SonarQube, which markets security rules, generates high false-positive rates on security findings because its primary analysis engine optimizes for quality metrics, not exploitability assessment.
Closing the Gap: Quality Plus Security
The solution is not replacing your code quality tools — it is layering dedicated security scanning on top of them. Run your linter, type checker, and formatter as usual. Add a security scanner that performs taint analysis, secrets detection, and dependency scanning in the same CI pipeline.
Rafter integrates into your existing workflow without conflicting with quality tools. It runs static analysis focused exclusively on security: tracing data flows, checking access controls, scanning for secrets, and auditing dependencies. Findings appear in your pull request with fix suggestions, separate from your linter output.
Quality tools make your code maintainable. Security tools make it safe. You need both.
Start security scanning with Rafter — works alongside your existing tools.