Skip to content
Self-hosting

REES analyzer reference

Every analyzer name you can put in REES_ANALYZERS, what it inspects, what it reports, and whether it needs network or GitHub token access.

REES runs analyzers independently. A failed analyzer is marked degraded, completed analyzers still return findings, and an empty result produces no user-facing brief. Use exact analyzer names in REES_ANALYZERS. A typo-only analyzer list fails closed with no analyzers selected. Leave REES_PROFILE unset for the balanced profile, or setfast during incidents to favor local and low-cost registry checks.

.env
# Unset, all, or * runs the full registry.
REES_ANALYZERS=all

# A subset runs only the named analyzers.
REES_ANALYZERS=secret,actionPin,redos

# Invalid names are ignored; if none are valid, REES runs no analyzers.
REES_ANALYZERS=unknownName

Profiles

fast

Cost classes
local, registry
Concurrency caps
local:8, registry:2
Response reserve
500 ms

balanced

default
Cost classes
local, registry, github-light, github-heavy, tooling
Concurrency caps
local:8, registry:3, github-light:2, github-heavy:1, tooling:1
Response reserve
750 ms

deep

Cost classes
local, registry, github-light, github-heavy, tooling
Concurrency caps
local:8, registry:4, github-light:2, github-heavy:1, tooling:1
Response reserve
1000 ms

All analyzer names

REES_ANALYZERS names
dependency
lockfileDrift
secret
license
installScript
heavyDependency
actionPin
eol
redos
provenance
codeowners
secretLog
assetWeight
typosquat
commitSignature
iacMisconfig
nativeBuild
history
docCommentDrift
duplication
churnHotspot
blameLink
approvalIntegrity
ciCheckSignals
undocumentedExport
staleBranch
commitHygiene
pendingReviewRequests
testRatio
migrationSafety
looseRange
terminology
todoMarker
magicNumber
conflictMarker
commitLint
unsafeAny

Network and token model

Pure analyzers
secret, actionPin, redos, secretLog, and iacMisconfig work only from the diff/files sent to REES.
Public registry analyzers
dependency, lockfileDrift, license, installScript, heavyDependency, eol, provenance, typosquat, and nativeBuild call public package or lifecycle APIs.
GitHub API analyzers
codeowners, assetWeight, commitSignature, and history need author/head metadata and GitHub token forwarding when the repo is private.
If the REES endpoint is outside your trust boundary, set REES_FORWARD_GITHUB_TOKEN=false. REES will still receive the PR diff/files when enabled, but token-aware analyzers will skip GitHub API reads they cannot authenticate.

Analyzer details

Dependency vulnerabilities

Checks changed direct dependency versions against OSV.dev.

dependencyregistry
Looks at
Added or upgraded dependencies in package.json, requirements.txt, and go.mod diffs.
Reports
Known CVEs with severity, advisory id, summary, and fixed version when OSV publishes one.
Network
Calls OSV.dev. No GitHub token required.
Operational note
Manifest-only by design; use lockfileDrift for transitive lockfile changes.
Profiles
fast, balanced, deep
Requirements
files, public-network

Lockfile drift

Finds vulnerable transitive dependency versions introduced only through lockfile changes.

lockfileDriftregistry
Looks at
package-lock.json, yarn.lock, and poetry.lock patches, excluding packages already named in a changed manifest.
Reports
Lockfile line, package/version, ecosystem, direction, and OSV vulnerability details.
Network
Calls OSV.dev querybatch. No GitHub token required.
Operational note
Useful when a PR does not touch a top-level manifest but changes resolved dependency pins.
Profiles
fast, balanced, deep
Requirements
files, public-network

Hardcoded secrets

Scans added diff lines for credential-shaped values.

secretlocal
Looks at
Added lines in every changed file patch.
Reports
File, line, secret kind, and confidence. The matched value is never returned.
Network
Pure local analyzer. No external network call.
Operational note
High-confidence patterns are treated as rotate-and-remove candidates; generic assignments stay verify-first.
Profiles
fast, balanced, deep
Requirements
files

Dependency licenses

Checks licenses for newly added or upgraded dependencies.

licenseregistry
Looks at
The same direct dependency changes used by the dependency analyzer.
Reports
Copyleft or unknown license classifications that need maintainer compatibility review.
Network
Calls deps.dev. No GitHub token required.
Operational note
Permissive and otherwise-known licenses are intentionally silent.
Profiles
fast, balanced, deep
Requirements
files, public-network

npm install scripts

Flags npm packages that run lifecycle hooks during install.

installScriptregistry
Looks at
New or upgraded npm dependencies.
Reports
Package, version, hook names, and publish date when available.
Network
Calls the npm registry. No GitHub token required.
Operational note
The script body is not returned, which keeps the brief compact and non-executable.
Profiles
fast, balanced, deep
Requirements
files, public-network

Heavy dependencies used trivially

Flags materially heavy npm dependencies used only a few times in changed lines.

heavyDependencyregistry
Looks at
New or upgraded npm dependencies plus direct uses in added lines.
Reports
Package size, dependency count, usage count, and line-cited usage locations.
Network
Calls Bundlephobia. No GitHub token required.
Operational note
Only reports packages with trivial direct usage so the finding stays actionable.
Profiles
fast, balanced, deep
Requirements
files, public-network

Unpinned GitHub Actions

Detects third-party workflow actions pinned to mutable tags or branches.

actionPinlocal
Looks at
Added uses: lines in .github/workflows YAML patches.
Reports
Workflow file, line, action, and mutable ref.
Network
Pure local analyzer. No external network call.
Operational note
Official actions/* and github/* actions are excluded to keep the signal focused.
Profiles
fast, balanced, deep
Requirements
files

End-of-life runtimes

Checks changed runtime and base-image pins against EOL calendars.

eolregistry
Looks at
Dockerfile FROM lines, version-manager pin files (.nvmrc, .python-version, …), Heroku runtime.txt, Gemfile ruby directives, and go.mod runtime pins.
Reports
File, product, version, EOL date, and whether the release is already EOL or close to EOL.
Network
Calls endoflife.date. No GitHub token required.
Operational note
Only changed pins are checked; existing old runtimes outside the PR are not reported.
Profiles
fast, balanced, deep
Requirements
files, public-network

ReDoS-prone regex

Finds newly introduced regex shapes that can catastrophically backtrack.

redoslocal
Looks at
Regex literals and RegExp constructor string arguments in added lines.
Reports
File, line, and a truncated vulnerable pattern.
Network
Pure local analyzer. No external network call.
Operational note
Structural and precision-first; it flags nested unbounded quantifier shapes such as (a+)+.
Profiles
fast, balanced, deep
Requirements
files

Provenance and committed artifacts

Checks package attestations and reviewability of newly added artifacts.

provenanceregistry
Looks at
New npm/PyPI dependency versions plus added binary, vendored, and minified files.
Reports
Missing attestations, binary files without reviewable source, and vendored or minified code.
Network
Calls npm and PyPI attestation/provenance endpoints for package checks. Path checks are local.
Operational note
Network failures fail safe; it flags only confident no-attestation responses.
Profiles
fast, balanced, deep
Requirements
files, public-network

CODEOWNERS coverage

Checks whether changed files cross ownership domains not owned by the PR author.

codeownersgithub-light
Looks at
.github/CODEOWNERS, CODEOWNERS, or docs/CODEOWNERS plus the changed file list.
Reports
Owned files where the PR author is not listed, plus ownership blast-radius context in the rendered brief.
Network
Calls the GitHub API. Requires author plus GitHub token forwarding for private repos.
Operational note
Leave REES_FORWARD_GITHUB_TOKEN unset/false to disable token forwarding; this analyzer will then skip when it cannot read CODEOWNERS.
Profiles
balanced, deep
Requirements
files, author, github-token

Secrets or PII in logs

Flags added code that writes sensitive values to logs or stdout.

secretLoglocal
Looks at
Added lines that call console, logger, process.stdout, or process.stderr sinks.
Reports
File, line, sink, and category: secret, pii, or request-object.
Network
Pure local analyzer. No external network call.
Operational note
String log messages are stripped before matching, so ordinary prose like password reset is not enough to trigger.
Profiles
fast, balanced, deep
Requirements
files

Heavy binary assets

Finds large binary assets added to a PR, and growth deltas when base size is available.

assetWeightgithub-heavy
Looks at
Changed binary assets such as images, fonts, archives, PDFs, videos, and compiled binaries.
Reports
Path, size, delta, and whether the asset was added or grown.
Network
Calls the GitHub API. Requires headSha and GitHub token forwarding for private repos.
Operational note
Added asset detection works from headSha. Growth comparison needs baseSha in the enrichment request.
Profiles
balanced, deep
Requirements
files, github-token, head-sha

Typosquat and dependency-confusion risk

Checks newly added dependency names for near-miss and publicly claimable package names.

typosquatregistry
Looks at
Newly added npm and PyPI dependency names.
Reports
Typosquat matches against popular packages, or unscoped names missing from the public registry.
Network
Uses bundled popular-package lists plus npm/PyPI registry lookups for dependency-confusion checks.
Operational note
Scoped npm packages are treated as namespace-protected and are not flagged as typosquats.
Profiles
fast, balanced, deep
Requirements
files, public-network

Head commit signature

Checks head commit signature and public author provenance.

commitSignaturegithub-light
Looks at
The head commit plus a bounded slice of recent repository commit history.
Reports
GitHub signature verification reason and public boolean provenance flags.
Network
Calls the GitHub API. Requires headSha and GitHub token forwarding for private repos.
Operational note
Does not expose emails or private identity data; only public GitHub commit facts are surfaced.
Profiles
balanced, deep
Requirements
github-token, head-sha

IaC / config misconfiguration

Flags risky IaC/config changes such as public buckets or insecure CORS.

iacMisconfiglocal
Looks at
Added lines in Docker, Terraform, YAML, JSON, and similar config files.
Reports
File, line, and public-safe rule kind.
Network
Pure local analyzer. No external network call.
Operational note
Reports configuration shapes only; it does not inspect private runtime config.
Profiles
fast, balanced, deep
Requirements
files

Native-build dependencies

Flags newly-added dependencies that compile native code or ship sdist-only builds.

nativeBuildregistry
Looks at
New npm/PyPI dependency versions.
Reports
Package, version, ecosystem, native-build kind, and public-safe reason.
Network
Calls npm and PyPI registries. No GitHub token required.
Operational note
Registry JSON is capped so large package metadata cannot monopolize REES memory.
Profiles
fast, balanced, deep
Requirements
files, public-network

Author and change-area history

Shows public author track record, same-file PR history, and linked-issue alignment.

historygithub-heavy
Looks at
The PR author, changed file paths, linked issue text, added diff lines, and bounded GitHub history lookups.
Reports
Prior PR counts, similar past PRs, linked issue coverage, and partial/degraded status.
Network
Calls GitHub API with bounded fanout. Requires author plus GitHub token forwarding for private repos.
Operational note
Returns partial findings when GitHub lookups are skipped, capped, or budget-exhausted.
Profiles
balanced, deep
Requirements
files, github-token, author

Doc-comment drift

Flags a JSDoc/TSDoc @param that names a parameter the PR removed or renamed but left documented.

docCommentDriftgithub-light
Looks at
Changed TS/JS source files at headSha, comparing each named function's old vs new parameter list.
Reports
File, line, function, and the stale parameter name(s).
Network
Calls the GitHub API for changed file contents. Requires headSha and token forwarding for private repos.
Operational note
Conservative: only named function declarations with confidently-enumerable params; non-parameter signature edits are not reported.
Profiles
balanced, deep
Requirements
files, github-token, head-sha

Near-verbatim duplicated code

Flags added code that is a near-verbatim duplicate of a block already present elsewhere in the repo.

duplicationgithub-light
Looks at
Added diff hunks in changed source files compared against same-extension repo files fetched from the git tree at headSha.
Reports
The head file:line, the existing source file:line it duplicates, and the matched line count.
Network
Calls the GitHub API for the git tree and candidate blobs. Requires headSha and token forwarding for private repos.
Operational note
Conservative: trivial/boilerplate lines are dropped and a long contiguous run is required, so incidental overlap is not flagged. Never returns code content.
Profiles
balanced, deep
Requirements
files, github-token, head-sha

Churn hotspots

Flags changed files that are statistical fragility hotspots — high commit frequency and a high fix/revert fraction.

churnHotspotgithub-heavy
Looks at
Each changed file's recent commit history (a 90-day window), excluding lockfiles, generated output, and binaries.
Reports
File, commit count, fix/revert count, and the window — counts only, never file contents.
Network
Calls the GitHub commits API once per probed file. Requires GitHub token forwarding for private repos.
Operational note
Distinct from the history analyzer's author track record; this scores the change AREA's defect density.
Profiles
balanced, deep
Requirements
files, github-token

Review/approval integrity

Flags review/approval integrity signals: an APPROVED review that predates the current head commit, the author approving their own PR, and a reviewer whose current review is still CHANGES_REQUESTED.

approvalIntegritygithub-light
Looks at
The PR's reviews (walked page by page, bounded), reduced to each reviewer's most recent submitted review — GitHub's own semantics for a reviewer's current vote.
Reports
Reviewer login, the finding kind, and (for a stale approval) a short commit-SHA prefix — never review body text.
Network
Calls the GitHub PR-reviews API, paginated and bounded to a fixed page cap.
Operational note
Structured-fields-only: reads state/commit_id/user.login/submitted_at, never diff or review-body text. Fail-safe on missing token/head SHA/fetch error.
Profiles
balanced, deep
Requirements
github-token, head-sha

CI check-run signals

Flags a named check that only went green after one or more earlier non-success attempts at the current head commit, and any completed check run whose duration crossed a fixed threshold.

ciCheckSignalsgithub-light
Looks at
The head commit's check-runs (one bounded page), grouped by name and ordered by start time.
Reports
Check name and either the count of failed attempts before success, or the run's duration in minutes — never logs or output.
Network
Calls the GitHub check-runs API once, bounded to one page.
Operational note
Structured-fields-only: reads name/status/conclusion/started_at/completed_at, never check output or logs. Fail-safe on missing token/head SHA/fetch error.
Profiles
balanced, deep
Requirements
github-token, head-sha

Undocumented public exports

Flags exports newly added to a package's public entrypoint (an index.* barrel) that ship with no adjacent doc comment.

undocumentedExportgithub-light
Looks at
Direct `export const/let/var/function/class/interface/type/enum` declarations added to changed index.* files, checked against the file fetched at headSha.
Reports
File, line, and symbol name of each undocumented added export — never file contents.
Network
One GitHub contents fetch per changed entrypoint (at headSha). Requires GitHub token forwarding for private repos.
Operational note
Conservative: re-export lists (`export { x }`) and `export *` are ignored; a preceding `//` line (except tool directives like `eslint-disable`) or a real JSDoc `/**` block counts as documented (a plain `/* … */` block does not).
Profiles
balanced, deep
Requirements
files, github-token, head-sha

Stale branch signal

Flags a PR whose head is significantly behind the repo's current default branch — a staleness risk a clean `mergeable` check alone would not surface.

staleBranchgithub-light
Looks at
The repo's current default branch and how many commits behind it the PR's head is (the GitHub compare API).
Reports
The default branch name and the commit count behind it — never commit content.
Network
Calls the GitHub repo API once and the compare API once.
Operational note
Structured-fields-only: reads default_branch and behind_by, never diff or commit text. Fail-safe on missing token/head SHA/either fetch failing.
Profiles
balanced, deep
Requirements
github-token, head-sha

Commit-history hygiene

Flags commit-history hygiene issues: a merge commit pulled into the PR's own history, a commit left with git's fixup!/squash! autosquash marker, and a commit carrying a Co-authored-by trailer.

commitHygienegithub-light
Looks at
The PR's commits (one bounded page) — each commit's message subject/trailers and parent count.
Reports
A short commit-SHA prefix, the finding kind, and (for fixup/co-author) the subject line or co-author — never full diff/file content.
Network
Calls the GitHub PR-commits API once, bounded to one page.
Operational note
Structured-fields-only: reads commit.message and parents, matched one line at a time, never cross-line state. Fail-safe on missing token/fetch error.
Profiles
balanced, deep
Requirements
github-token

Pending review-request staleness

Flags a reviewer or team whose review request has been outstanding 48+ hours with no response yet.

pendingReviewRequestsgithub-light
Looks at
The PR's currently pending requested reviewers/teams, matched against the issue timeline's review_requested events (bounded, page-confirmed complete).
Reports
The reviewer login (or team:slug) and hours pending — never review content.
Network
Calls the GitHub requested-reviewers API once and the issue-timeline API, paginated and bounded to a fixed page cap.
Operational note
Structured-fields-only: reads user.login/team.slug/event/created_at, never diff or comment text. Fail-safe on missing token/fetch error/an unconfirmed-complete timeline.
Profiles
balanced, deep
Requirements
github-token

Test-to-code ratio

Flags a PR whose source change is material but ships with disproportionately little (or zero) accompanying test change.

testRatiolocal
Looks at
Each changed file's path (classified source vs test by naming convention) and added-line count.
Reports
Source/test added-line and file counts and the resulting ratio — never file content.
Network
Pure local analyzer. No external network call.
Operational note
A cheap, always-available complement to the coverage-delta analyzer: works even when no CI coverage artifact exists.
Profiles
fast, balanced, deep
Requirements
files

SQL migration safety

Flags risky schema operations in added migration SQL: drops, renames, non-nullable columns without a default, and blocking table rewrites.

migrationSafetylocal
Looks at
Added lines in migration paths (migrations/, db/migrate/, *.sql).
Reports
File, line, and public-safe rule kind — never SQL content.
Network
Pure local analyzer. No external network call.
Operational note
Detection is line-anchored single-statement shapes only; statements split across lines are skipped rather than tracked with cross-line state.
Profiles
fast, balanced, deep
Requirements
files

Loose dependency version range

Flags newly-added npm dependency specifiers that use dangerously loose ranges instead of a pinned/caret/tilde range.

looseRangelocal
Looks at
Added specifier lines in package.json patches.
Reports
Manifest file, line, package, raw specifier, and loose-range kind.
Network
Pure local analyzer. No external network call.
Operational note
Judges only the version specifier, never the package; wildcard, latest, unbounded >=, and bare-major ranges let any future publish flow into the next install.
Profiles
fast, balanced, deep
Requirements
files

Non-inclusive terminology

Flags non-inclusive terms newly added in identifiers or comments (whitelist/blacklist, master/slave) and suggests the neutral replacement.

terminologylocal
Looks at
Added lines in any changed file, tokenized on camelCase/snake_case/word boundaries.
Reports
File, line, the matched term, and the suggested replacement.
Network
Pure local analyzer. No external network call.
Operational note
Token-based matching avoids substring false positives (masterclass/postmaster are never flagged), and URLs are skipped. The term→suggestion table is a bounded in-file policy.
Profiles
fast, balanced, deep
Requirements
files

Incomplete-work markers

Surfaces TODO/FIXME/HACK/XXX markers a PR adds in comments, so a reviewer sees the change is shipping known-incomplete work.

todoMarkerlocal
Looks at
Added lines with an uppercase, comment-anchored marker across any changed file.
Reports
File, line, tag, and a truncated note.
Network
Pure local analyzer. No external network call.
Operational note
Precision-first: only UPPERCASE, comment-anchored markers are reported (a lowercase `todo` identifier or a marker inside a string literal is never flagged); a bare marker inside a multi-line block comment is intentionally not matched.
Profiles
fast, balanced, deep
Requirements
files

Magic numbers

Flags newly-added non-trivial numeric literals in non-test source where a named constant would clarify intent.

magicNumberlocal
Looks at
Added lines in source files, excluding tests, strings, comments, trivial sentinels/scales, named constants, array indexes, and enum-like initializers.
Reports
File, line, and numeric literal text only.
Network
Pure local analyzer. No external network call.
Operational note
Precision-first: common values such as 0, 1, -1, 2, 100, 1000, and powers of ten are silent.
Profiles
fast, balanced, deep
Requirements
files

Leftover conflict markers

Flags leftover VCS conflict markers (`<<<<<<<`, `|||||||`, `=======`, `>>>>>>>`) accidentally committed in added lines.

conflictMarkerlocal
Looks at
Added lines in every changed file.
Reports
File, line, and the marker shape — never line content.
Network
Pure local analyzer. No external network call.
Operational note
Structural: an exactly-seven-character marker run at column 0. The ambiguous `=======` separator is not flagged in Markdown/AsciiDoc files, where it is a legitimate section rule.
Profiles
fast, balanced, deep
Requirements
files

Conventional-commit subjects

Lints the PR's commit subjects against the Conventional Commits spec and flags non-conforming subjects (bad/absent type, over-long, or empty).

commitLintgithub-light
Looks at
The PR's commits (one bounded page) — each commit's message subject line.
Reports
A short commit-SHA prefix, the subject line, and the failing reason — never full diff/file content.
Network
Calls the GitHub PR-commits API once, bounded to one page.
Operational note
Structured-fields-only: reads commit.message subjects, linted independently, never cross-line state. Fail-safe on missing token/fetch error.
Profiles
balanced, deep
Requirements
github-token

Unsafe `any` usage

Counts and locates explicit `any` usages (`: any`, `as any`, `<any>`) newly added in TypeScript diffs.

unsafeAnylocal
Looks at
Added lines of changed .ts/.tsx files (ambient .d.ts skipped); string- and comment-only occurrences are stripped.
Reports
File, line, and the `any` kind (annotation / cast / assertion) — never surrounding contents.
Network
Pure local analyzer. No external network call.
Operational note
Structural regex only — no type-checker — so it is a type-safety-erosion hint, not a definitive count.
Profiles
fast, balanced, deep
Requirements
files

Back to REES setup

Use REES enrichment for enablement, auth, troubleshooting, and where the brief appears in the review result.