# Built-in rule tags

Tags are a way to categorize rules and issues. Issues inherit the tags on the rules that raised them. Some tags are language-specific, but many more appear across languages. Users can add tags to rules and issues and most rules have some tags out of the box. Here is a non-comprehensive list of what some of those built-in tags mean:

* **brain-overload**: there is too much to keep in your head at one time.
* **bad-practice**: the code likely works as designed, but the way it was designed is widely recognized as being a bad idea.
* **CERT**: relates to a rule in a [CERT](https://wiki.sei.cmu.edu/confluence/display/seccode/SEI+CERT+Coding+Standards) standard. There are currently three CERT standards: [C](https://wiki.sei.cmu.edu/confluence/display/c/SEI+CERT+C+Coding+Standard), [C++](https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88046682), and [Java](https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java%20). Many of these rules are not language-specific, but are good programming practices. That’s why you’ll see this tag on non-C/C++, Java rules.
* **clumsy**: extra steps are used to accomplish something that could be done more clearly and concisely. (E.G. calling .toString() on a String).
* **confusing**: will take maintainers longer to understand than is really justified by what the code actually does.
* **convention**: coding convention, typically formatting, naming, whitespace, etc.
* **CWE**: relates to a rule in the [Common Weakness Enumeration](http://cwe.mitre.org/). For more on CWE and on security-related rules in general, see [security-related-rules](https://docs.sonarsource.com/sonarqube-server/2025.1/user-guide/rules/security-related-rules "mention").
* **design**: there is something questionable about the design of the code.
* **lock-in**: environment-specific features are used.
* **pitfall**: nothing is wrong yet, but something could go wrong in the future; a trap has been set for the next person, and they’ll probably fall into it and screw up the code.
* **suspicious**: it’s not guaranteed that this is a *bug*, but it suspiciously looks like a bug. At the very least, the code should be re-examined and likely refactored for clarity.
* **unpredictable**: the code may work fine under current conditions, but may fail erratically if conditions change.
* **unused**: unused code; for example, a private variable that is never used.
* **user-experience**: there’s nothing technically wrong with your code, but it may make some or all of your users hate you.