update_all/delete_all bypasses callbacks and validations
Part of Code Quality & Syntax, which counts for 20% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
update_all and delete_all issue a single SQL statement directly and skip ActiveRecord callbacks and validations entirely, so before_save hooks, uniqueness checks, and updated_at all silently do not run. This is often intentional for bulk operations, so treat a finding here as a prompt to confirm rather than as a bug.
Why it matters
update_all and delete_all issue a single UPDATE or DELETE statement straight to the database and skip every ActiveRecord callback and validation: before_save hooks do not run, uniqueness and presence validations are not checked, updated_at is not touched unless the call sets it explicitly. This is often exactly what is wanted for a bulk operation, but when it is used out of habit instead of intentionally, it quietly breaks whatever invariants those callbacks were enforcing.
How to fix it
Confirm this bulk update is intentional and that skipping callbacks and validations is acceptable for this specific case; if so, no change is needed beyond a comment noting why. If the callbacks matter (an audit log, a cache invalidation, a dependent recalculation), replace update_all/delete_all with find_each combined with individual update!/destroy calls, accepting the performance cost in exchange for correctness.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo