REES analyzer reference
Every analyzer name you can put in REES_ANALYZERS, what it inspects, what it reports, and whether it needs network or GitHub token access.
REES runs analyzers independently. A failed analyzer is marked degraded, completed analyzers still return findings, and an empty result produces no user-facing brief. Use exact analyzer names in REES_ANALYZERS. A typo-only analyzer list fails closed with no analyzers selected. Leave REES_PROFILE unset for the balanced profile, or setfast during incidents to favor local and low-cost registry checks.
# Unset, all, or * runs the full registry.
REES_ANALYZERS=all
# A subset runs only the named analyzers.
REES_ANALYZERS=secret,actionPin,redos
# Invalid names are ignored; if none are valid, REES runs no analyzers.
REES_ANALYZERS=unknownNameProfiles
fast
- Cost classes
- local, registry
- Concurrency caps
- local:8, registry:2
- Response reserve
- 500 ms
balanced
default- Cost classes
- local, registry, github-light, github-heavy, tooling
- Concurrency caps
- local:8, registry:3, github-light:2, github-heavy:1, tooling:1
- Response reserve
- 750 ms
deep
- Cost classes
- local, registry, github-light, github-heavy, tooling
- Concurrency caps
- local:8, registry:4, github-light:2, github-heavy:1, tooling:1
- Response reserve
- 1000 ms
All analyzer names
dependency
lockfileDrift
secret
license
installScript
heavyDependency
actionPin
eol
redos
provenance
codeowners
secretLog
assetWeight
typosquat
commitSignature
iacMisconfig
nativeBuild
history
docCommentDrift
duplication
churnHotspot
blameLink
approvalIntegrity
ciCheckSignals
undocumentedExportNetwork and token model
- Pure analyzers
- secret, actionPin, redos, secretLog, and iacMisconfig work only from the diff/files sent to REES.
- Public registry analyzers
- dependency, lockfileDrift, license, installScript, heavyDependency, eol, provenance, typosquat, and nativeBuild call public package or lifecycle APIs.
- GitHub API analyzers
- codeowners, assetWeight, commitSignature, and history need author/head metadata and GitHub token forwarding when the repo is private.
REES_FORWARD_GITHUB_TOKEN=false. REES will still receive the PR diff/files when enabled, but token-aware analyzers will skip GitHub API reads they cannot authenticate.Analyzer details
Dependency vulnerabilities
Checks changed direct dependency versions against OSV.dev.
dependencyregistry- Looks at
- Added or upgraded dependencies in package.json, requirements.txt, and go.mod diffs.
- Reports
- Known CVEs with severity, advisory id, summary, and fixed version when OSV publishes one.
- Network
- Calls OSV.dev. No GitHub token required.
- Operational note
- Manifest-only by design; use lockfileDrift for transitive lockfile changes.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
Lockfile drift
Finds vulnerable transitive dependency versions introduced only through lockfile changes.
lockfileDriftregistry- Looks at
- package-lock.json, yarn.lock, and poetry.lock patches, excluding packages already named in a changed manifest.
- Reports
- Lockfile line, package/version, ecosystem, direction, and OSV vulnerability details.
- Network
- Calls OSV.dev querybatch. No GitHub token required.
- Operational note
- Useful when a PR does not touch a top-level manifest but changes resolved dependency pins.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
Hardcoded secrets
Scans added diff lines for credential-shaped values.
secretlocal- Looks at
- Added lines in every changed file patch.
- Reports
- File, line, secret kind, and confidence. The matched value is never returned.
- Network
- Pure local analyzer. No external network call.
- Operational note
- High-confidence patterns are treated as rotate-and-remove candidates; generic assignments stay verify-first.
- Profiles
- fast, balanced, deep
- Requirements
- files
Dependency licenses
Checks licenses for newly added or upgraded dependencies.
licenseregistry- Looks at
- The same direct dependency changes used by the dependency analyzer.
- Reports
- Copyleft or unknown license classifications that need maintainer compatibility review.
- Network
- Calls deps.dev. No GitHub token required.
- Operational note
- Permissive and otherwise-known licenses are intentionally silent.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
npm install scripts
Flags npm packages that run lifecycle hooks during install.
installScriptregistry- Looks at
- New or upgraded npm dependencies.
- Reports
- Package, version, hook names, and publish date when available.
- Network
- Calls the npm registry. No GitHub token required.
- Operational note
- The script body is not returned, which keeps the brief compact and non-executable.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
Heavy dependencies used trivially
Flags materially heavy npm dependencies used only a few times in changed lines.
heavyDependencyregistry- Looks at
- New or upgraded npm dependencies plus direct uses in added lines.
- Reports
- Package size, dependency count, usage count, and line-cited usage locations.
- Network
- Calls Bundlephobia. No GitHub token required.
- Operational note
- Only reports packages with trivial direct usage so the finding stays actionable.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
Unpinned GitHub Actions
Detects third-party workflow actions pinned to mutable tags or branches.
actionPinlocal- Looks at
- Added uses: lines in .github/workflows YAML patches.
- Reports
- Workflow file, line, action, and mutable ref.
- Network
- Pure local analyzer. No external network call.
- Operational note
- Official actions/* and github/* actions are excluded to keep the signal focused.
- Profiles
- fast, balanced, deep
- Requirements
- files
End-of-life runtimes
Checks changed runtime and base-image pins against EOL calendars.
eolregistry- Looks at
- Dockerfile FROM lines, .nvmrc, and go.mod runtime pins.
- Reports
- File, product, version, EOL date, and whether the release is already EOL or close to EOL.
- Network
- Calls endoflife.date. No GitHub token required.
- Operational note
- Only changed pins are checked; existing old runtimes outside the PR are not reported.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
ReDoS-prone regex
Finds newly introduced regex shapes that can catastrophically backtrack.
redoslocal- Looks at
- Regex literals and RegExp constructor string arguments in added lines.
- Reports
- File, line, and a truncated vulnerable pattern.
- Network
- Pure local analyzer. No external network call.
- Operational note
- Structural and precision-first; it flags nested unbounded quantifier shapes such as (a+)+.
- Profiles
- fast, balanced, deep
- Requirements
- files
Provenance and committed artifacts
Checks package attestations and reviewability of newly added artifacts.
provenanceregistry- Looks at
- New npm/PyPI dependency versions plus added binary, vendored, and minified files.
- Reports
- Missing attestations, binary files without reviewable source, and vendored or minified code.
- Network
- Calls npm and PyPI attestation/provenance endpoints for package checks. Path checks are local.
- Operational note
- Network failures fail safe; it flags only confident no-attestation responses.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
CODEOWNERS coverage
Checks whether changed files cross ownership domains not owned by the PR author.
codeownersgithub-light- Looks at
- .github/CODEOWNERS, CODEOWNERS, or docs/CODEOWNERS plus the changed file list.
- Reports
- Owned files where the PR author is not listed, plus ownership blast-radius context in the rendered brief.
- Network
- Calls the GitHub API. Requires author plus GitHub token forwarding for private repos.
- Operational note
- Leave REES_FORWARD_GITHUB_TOKEN unset/false to disable token forwarding; this analyzer will then skip when it cannot read CODEOWNERS.
- Profiles
- balanced, deep
- Requirements
- files, author, github-token
Secrets or PII in logs
Flags added code that writes sensitive values to logs or stdout.
secretLoglocal- Looks at
- Added lines that call console, logger, process.stdout, or process.stderr sinks.
- Reports
- File, line, sink, and category: secret, pii, or request-object.
- Network
- Pure local analyzer. No external network call.
- Operational note
- String log messages are stripped before matching, so ordinary prose like password reset is not enough to trigger.
- Profiles
- fast, balanced, deep
- Requirements
- files
Heavy binary assets
Finds large binary assets added to a PR, and growth deltas when base size is available.
assetWeightgithub-heavy- Looks at
- Changed binary assets such as images, fonts, archives, PDFs, videos, and compiled binaries.
- Reports
- Path, size, delta, and whether the asset was added or grown.
- Network
- Calls the GitHub API. Requires headSha and GitHub token forwarding for private repos.
- Operational note
- Added asset detection works from headSha. Growth comparison needs baseSha in the enrichment request.
- Profiles
- balanced, deep
- Requirements
- files, github-token, head-sha
Typosquat and dependency-confusion risk
Checks newly added dependency names for near-miss and publicly claimable package names.
typosquatregistry- Looks at
- Newly added npm and PyPI dependency names.
- Reports
- Typosquat matches against popular packages, or unscoped names missing from the public registry.
- Network
- Uses bundled popular-package lists plus npm/PyPI registry lookups for dependency-confusion checks.
- Operational note
- Scoped npm packages are treated as namespace-protected and are not flagged as typosquats.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
Head commit signature
Checks head commit signature and public author provenance.
commitSignaturegithub-light- Looks at
- The head commit plus a bounded slice of recent repository commit history.
- Reports
- GitHub signature verification reason and public boolean provenance flags.
- Network
- Calls the GitHub API. Requires headSha and GitHub token forwarding for private repos.
- Operational note
- Does not expose emails or private identity data; only public GitHub commit facts are surfaced.
- Profiles
- balanced, deep
- Requirements
- github-token, head-sha
IaC / config misconfiguration
Flags risky IaC/config changes such as public buckets or insecure CORS.
iacMisconfiglocal- Looks at
- Added lines in Docker, Terraform, YAML, JSON, and similar config files.
- Reports
- File, line, and public-safe rule kind.
- Network
- Pure local analyzer. No external network call.
- Operational note
- Reports configuration shapes only; it does not inspect private runtime config.
- Profiles
- fast, balanced, deep
- Requirements
- files
Native-build dependencies
Flags newly-added dependencies that compile native code or ship sdist-only builds.
nativeBuildregistry- Looks at
- New npm/PyPI dependency versions.
- Reports
- Package, version, ecosystem, native-build kind, and public-safe reason.
- Network
- Calls npm and PyPI registries. No GitHub token required.
- Operational note
- Registry JSON is capped so large package metadata cannot monopolize REES memory.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
Author and change-area history
Shows public author track record, same-file PR history, and linked-issue alignment.
historygithub-heavy- Looks at
- The PR author, changed file paths, linked issue text, added diff lines, and bounded GitHub history lookups.
- Reports
- Prior PR counts, similar past PRs, linked issue coverage, and partial/degraded status.
- Network
- Calls GitHub API with bounded fanout. Requires author plus GitHub token forwarding for private repos.
- Operational note
- Returns partial findings when GitHub lookups are skipped, capped, or budget-exhausted.
- Profiles
- balanced, deep
- Requirements
- files, github-token, author
Doc-comment drift
Flags a JSDoc/TSDoc @param that names a parameter the PR removed or renamed but left documented.
docCommentDriftgithub-light- Looks at
- Changed TS/JS source files at headSha, comparing each named function's old vs new parameter list.
- Reports
- File, line, function, and the stale parameter name(s).
- Network
- Calls the GitHub API for changed file contents. Requires headSha and token forwarding for private repos.
- Operational note
- Conservative: only named function declarations with confidently-enumerable params; non-parameter signature edits are not reported.
- Profiles
- balanced, deep
- Requirements
- files, github-token, head-sha
Near-verbatim duplicated code
Flags added code that is a near-verbatim duplicate of a block already present elsewhere in the repo.
duplicationgithub-light- Looks at
- Added diff hunks in changed source files compared against same-extension repo files fetched from the git tree at headSha.
- Reports
- The head file:line, the existing source file:line it duplicates, and the matched line count.
- Network
- Calls the GitHub API for the git tree and candidate blobs. Requires headSha and token forwarding for private repos.
- Operational note
- Conservative: trivial/boilerplate lines are dropped and a long contiguous run is required, so incidental overlap is not flagged. Never returns code content.
- Profiles
- balanced, deep
- Requirements
- files, github-token, head-sha
Churn hotspots
Flags changed files that are statistical fragility hotspots — high commit frequency and a high fix/revert fraction.
churnHotspotgithub-heavy- Looks at
- Each changed file's recent commit history (a 90-day window), excluding lockfiles, generated output, and binaries.
- Reports
- File, commit count, fix/revert count, and the window — counts only, never file contents.
- Network
- Calls the GitHub commits API once per probed file. Requires GitHub token forwarding for private repos.
- Operational note
- Distinct from the history analyzer's author track record; this scores the change AREA's defect density.
- Profiles
- balanced, deep
- Requirements
- files, github-token
Recent file history (last PR to touch)
For files this PR modifies or deletes, surfaces the last PR to touch each file — file-level history context, not per-line blame.
blameLinkgithub-light- Looks at
- Each changed file's most recent base-branch commit (bounded to the first few files) and that commit's associated PR.
- Reports
- File, a pointer to where this PR changes it, the last-touching PR number, and a short commit-SHA prefix — never file contents.
- Network
- Calls the GitHub commits API and the commit→PR association API, both bounded by a total lookup cap.
- Operational note
- File-level, not per-line: it reports each file's most recent prior toucher, never claiming a specific line's origin. Fail-safe and partial on cap.
- Profiles
- balanced, deep
- Requirements
- files, github-token
Review/approval integrity
Flags review/approval integrity signals: an APPROVED review that predates the current head commit, the author approving their own PR, and a reviewer whose current review is still CHANGES_REQUESTED.
approvalIntegritygithub-light- Looks at
- The PR's reviews (walked page by page, bounded), reduced to each reviewer's most recent submitted review — GitHub's own semantics for a reviewer's current vote.
- Reports
- Reviewer login, the finding kind, and (for a stale approval) a short commit-SHA prefix — never review body text.
- Network
- Calls the GitHub PR-reviews API, paginated and bounded to a fixed page cap.
- Operational note
- Structured-fields-only: reads state/commit_id/user.login/submitted_at, never diff or review-body text. Fail-safe on missing token/head SHA/fetch error.
- Profiles
- balanced, deep
- Requirements
- github-token, head-sha
CI check-run signals
Flags a named check that only went green after one or more earlier non-success attempts at the current head commit, and any completed check run whose duration crossed a fixed threshold.
ciCheckSignalsgithub-light- Looks at
- The head commit's check-runs (one bounded page), grouped by name and ordered by start time.
- Reports
- Check name and either the count of failed attempts before success, or the run's duration in minutes — never logs or output.
- Network
- Calls the GitHub check-runs API once, bounded to one page.
- Operational note
- Structured-fields-only: reads name/status/conclusion/started_at/completed_at, never check output or logs. Fail-safe on missing token/head SHA/fetch error.
- Profiles
- balanced, deep
- Requirements
- github-token, head-sha
Undocumented public exports
Flags exports newly added to a package's public entrypoint (an index.* barrel) that ship with no adjacent doc comment.
undocumentedExportgithub-light- Looks at
- Direct `export const/let/var/function/class/interface/type/enum` declarations added to changed index.* files, checked against the file fetched at headSha.
- Reports
- File, line, and symbol name of each undocumented added export — never file contents.
- Network
- One GitHub contents fetch per changed entrypoint (at headSha). Requires GitHub token forwarding for private repos.
- Operational note
- Conservative: re-export lists (`export { x }`) and `export *` are ignored; a preceding `//` line (except tool directives like `eslint-disable`) or a real JSDoc `/**` block counts as documented (a plain `/* … */` block does not).
- Profiles
- balanced, deep
- Requirements
- files, github-token, head-sha
Back to REES setup
Use REES enrichment for enablement, auth, troubleshooting, and where the brief appears in the review result.