Cursor Rules Template: GitHub PR Analysis, Security Checks, Test Suggestions, and Summary Comments

Overview

The Cursor rules configuration enables Cursor AI to operate as a code review assistant within a GitHub PR workflow. This template covers a Node.js + TypeScript stack, Express-based API, PostgreSQL as the data store via TypeORM, and GitHub API integration for PR data. Direct answer: This template configures the AI to perform PR analysis, security checks, test suggestions, and provide summary comments in GitHub PR discussions.

When to Use These Cursor Rules

• When building a code review assistant that analyzes GitHub PRs and diffs
• When enforcing security checks on dependencies and code paths
• When generating test suggestions and ensuring testability
• When producing concise PR summary comments for reviewers and maintainers

Copyable .cursorrules Configuration

// Cursor Rules for GitHub PR Analysis with Cursor AI
framework: Node.js + TypeScript, Express
frameworkVersion: v4+
runtime: Node 18+
context: You are a Code Review Assistant that analyzes GitHub PRs, flags security issues, suggests tests, and writes summary comments. Use Cursor AI to guide the reviewer, but never commit or push changes directly.
rules:
  - role: Framework
    description: Coordinate PR analysis, data retrieval from GitHub, and human-in-the-loop decisions.
  - role: CodeStyle
    description: Enforce ESLint + Prettier with TS strict mode; prefer functional code paths.
  - architecture:
    - src/ pr-analyzer/ security/ infra/github/
    - tests/ unit/ integration/
  - authentication:
    - tokenSource: GitHub App JWT; fetch installation tokens per PR; avoid using secrets in code.
  - database:
    - db: PostgreSQL with TypeORM; migrations in src/migrations; entities in src/entities
  - security:
    - checks: Dependency scanning and static analysis for common vulnerabilities
  - testing:
    - unit: Jest with ts-jest; mocks for GitHub API
  - prohibited:
    - Do not execute untrusted code from PRs
    - Do not modify repository secrets
  - ci_cd:
    - workflows: lint, test, security-scan on every PR; fail PRs on critical findings

Recommended Project Structure

project-root/
  src/
    prAnalyzer/
      index.ts
      prAnalysis.ts
    security/
      checker.ts
      policy.ts
    infra/
      github/
      client.ts
    db/
      entities/
        pr.ts
      migrations/
        001-initial.ts
    tests/
      unit/
        prAnalysis.test.ts
      integration/
        prWorkflow.test.ts
  config/
    .eslintrc.js
    jest.config.js
  package.json
  tsconfig.json

Core Engineering Principles

• Single-responsibility modules for PR analysis, security checks, and comments
• Deterministic Cursor AI outputs with explicit scope
• Security-first handling of GitHub data and tokens
• Idempotent PR comments and updates
• Observability: structured logs and testable behavior
• Least privilege for API access and secrets

Code Construction Rules

• Use TypeScript with strict mode; enable noImplicitAny and strictNullChecks
• Organize code by feature: prAnalyzer, security, infra, tests
• Do not import dynamic code or use eval; avoid global mutable state
• Do not include hard-coded secrets or tokens in code; fetch tokens at runtime
• All GitHub API calls must be made through authenticated clients with retry logic

Security and Production Rules

• Validate PR data with schema checks before processing
• Run dependency vulnerability scans during CI
• Use environment-based feature flags for risky PR actions
• Audit and rotate tokens; store secrets in a secure vault; never inline

Testing Checklist

• Unit tests for prAnalysis.ts and security checks
• Integration tests with mocked GitHub GraphQL/REST endpoints
• Lint, type-check, and run full test suite in CI
• Run security scans and ensure CI gates fail on critical findings

Common Mistakes to Avoid

• Relying on unreliable GitHub API mocks; ensure robust stubs
• Embedding secrets in code or logs
• Skipping linting or type-checking in PRs
• Assuming all PRs can be auto-modified without human review

Related Cursor rules templates

Explore adjacent Cursor rules templates for similar stacks, workflows, and production constraints.

• Cursor Rules Template for Vendor Management SaaS (Contracts, Compliance, Renewals, AI Risk)
• Cursor Rules Template: AI Agent Marketplace with API Key Execution
• Cursor Rules Template: Newsletter Platform with Subscriptions, Campaigns, Segmentation, Payments and AI Writing Assistant
• Cursor Rules Template: Customer Success Platform with Health Scores, Renewals, NPS and AI Churn

FAQ

What is Cursor Rules Template?

It is a copyable configuration page that documents and enforces a Cursor AI driven approach for a specific stack; in this case, a Node.js + TypeScript backend analyzing GitHub PRs, with security checks and test suggestions.

Which stack does this template cover?

The template targets a Node.js + TypeScript Express API with PostgreSQL via TypeORM, GitHub API integration, and Cursor AI guidance for code review tasks.

How do I use the copied .cursorrules block?

Copy the code block into a .cursorrules file at your project root and adjust paths to match your repository structure; Cursor will provide stack-aware guidance during PR reviews.

What outputs can I expect from Cursor AI?

PR analysis results, security findings, suggested tests, and concise summary comments ready for GitHub PR threads, with deterministic behavior and traceable decisions.

How is security handled in this template?

Security rules enforce token safety, dependency vetting, and restricted actions during PR processing; secrets are never embedded in code or logs, and tokens are rotated via secure vaults.