Skip to content
Self-hosting

REES analyzer reference

Every analyzer name you can put in REES_ANALYZERS, what it inspects, what it reports, and whether it needs network or GitHub token access.

REES runs analyzers independently. A failed analyzer is marked degraded, completed analyzers still return findings, and an empty result produces no user-facing brief. Use exact analyzer names in REES_ANALYZERS. A typo-only analyzer list fails closed with no analyzers selected. Leave REES_PROFILE unset for the balanced profile, or setfast during incidents to favor local and low-cost registry checks.

.env
# Unset, all, or * runs the full registry.
REES_ANALYZERS=all

# A subset runs only the named analyzers.
REES_ANALYZERS=secret,actionPin,redos

# Invalid names are ignored; if none are valid, REES runs no analyzers.
REES_ANALYZERS=unknownName

Profiles

fast

Cost classes
local, registry
Concurrency caps
local:8, registry:2
Response reserve
500 ms

balanced

default
Cost classes
local, registry, github-light, github-heavy, tooling
Concurrency caps
local:8, registry:3, github-light:2, github-heavy:1, tooling:1
Response reserve
750 ms

deep

Cost classes
local, registry, github-light, github-heavy, tooling
Concurrency caps
local:8, registry:4, github-light:2, github-heavy:1, tooling:1
Response reserve
1000 ms

All analyzer names

REES_ANALYZERS names
dependency
lockfileDrift
secret
license
installScript
heavyDependency
actionPin
eol
redos
provenance
codeowners
secretLog
assetWeight
typosquat
commitSignature
iacMisconfig
nativeBuild
history
docCommentDrift
duplication

Network and token model

Pure analyzers
secret, actionPin, redos, secretLog, and iacMisconfig work only from the diff/files sent to REES.
Public registry analyzers
dependency, lockfileDrift, license, installScript, heavyDependency, eol, provenance, typosquat, and nativeBuild call public package or lifecycle APIs.
GitHub API analyzers
codeowners, assetWeight, commitSignature, and history need author/head metadata and GitHub token forwarding when the repo is private.
If the REES endpoint is outside your trust boundary, set REES_FORWARD_GITHUB_TOKEN=false. REES will still receive the PR diff/files when enabled, but token-aware analyzers will skip GitHub API reads they cannot authenticate.

Analyzer details

Dependency vulnerabilities

Checks changed direct dependency versions against OSV.dev.

dependencyregistry
Looks at
Added or upgraded dependencies in package.json, requirements.txt, and go.mod diffs.
Reports
Known CVEs with severity, advisory id, summary, and fixed version when OSV publishes one.
Network
Calls OSV.dev. No GitHub token required.
Operational note
Manifest-only by design; use lockfileDrift for transitive lockfile changes.
Profiles
fast, balanced, deep
Requirements
files, public-network

Lockfile drift

Finds vulnerable transitive dependency versions introduced only through lockfile changes.

lockfileDriftregistry
Looks at
package-lock.json, yarn.lock, and poetry.lock patches, excluding packages already named in a changed manifest.
Reports
Lockfile line, package/version, ecosystem, direction, and OSV vulnerability details.
Network
Calls OSV.dev querybatch. No GitHub token required.
Operational note
Useful when a PR does not touch a top-level manifest but changes resolved dependency pins.
Profiles
fast, balanced, deep
Requirements
files, public-network

Hardcoded secrets

Scans added diff lines for credential-shaped values.

secretlocal
Looks at
Added lines in every changed file patch.
Reports
File, line, secret kind, and confidence. The matched value is never returned.
Network
Pure local analyzer. No external network call.
Operational note
High-confidence patterns are treated as rotate-and-remove candidates; generic assignments stay verify-first.
Profiles
fast, balanced, deep
Requirements
files

Dependency licenses

Checks licenses for newly added or upgraded dependencies.

licenseregistry
Looks at
The same direct dependency changes used by the dependency analyzer.
Reports
Copyleft or unknown license classifications that need maintainer compatibility review.
Network
Calls deps.dev. No GitHub token required.
Operational note
Permissive and otherwise-known licenses are intentionally silent.
Profiles
fast, balanced, deep
Requirements
files, public-network

npm install scripts

Flags npm packages that run lifecycle hooks during install.

installScriptregistry
Looks at
New or upgraded npm dependencies.
Reports
Package, version, hook names, and publish date when available.
Network
Calls the npm registry. No GitHub token required.
Operational note
The script body is not returned, which keeps the brief compact and non-executable.
Profiles
fast, balanced, deep
Requirements
files, public-network

Heavy dependencies used trivially

Flags materially heavy npm dependencies used only a few times in changed lines.

heavyDependencyregistry
Looks at
New or upgraded npm dependencies plus direct uses in added lines.
Reports
Package size, dependency count, usage count, and line-cited usage locations.
Network
Calls Bundlephobia. No GitHub token required.
Operational note
Only reports packages with trivial direct usage so the finding stays actionable.
Profiles
fast, balanced, deep
Requirements
files, public-network

Unpinned GitHub Actions

Detects third-party workflow actions pinned to mutable tags or branches.

actionPinlocal
Looks at
Added uses: lines in .github/workflows YAML patches.
Reports
Workflow file, line, action, and mutable ref.
Network
Pure local analyzer. No external network call.
Operational note
Official actions/* and github/* actions are excluded to keep the signal focused.
Profiles
fast, balanced, deep
Requirements
files

End-of-life runtimes

Checks changed runtime and base-image pins against EOL calendars.

eolregistry
Looks at
Dockerfile FROM lines, .nvmrc, and go.mod runtime pins.
Reports
File, product, version, EOL date, and whether the release is already EOL or close to EOL.
Network
Calls endoflife.date. No GitHub token required.
Operational note
Only changed pins are checked; existing old runtimes outside the PR are not reported.
Profiles
fast, balanced, deep
Requirements
files, public-network

ReDoS-prone regex

Finds newly introduced regex shapes that can catastrophically backtrack.

redoslocal
Looks at
Regex literals and RegExp constructor string arguments in added lines.
Reports
File, line, and a truncated vulnerable pattern.
Network
Pure local analyzer. No external network call.
Operational note
Structural and precision-first; it flags nested unbounded quantifier shapes such as (a+)+.
Profiles
fast, balanced, deep
Requirements
files

Provenance and committed artifacts

Checks package attestations and reviewability of newly added artifacts.

provenanceregistry
Looks at
New npm/PyPI dependency versions plus added binary, vendored, and minified files.
Reports
Missing attestations, binary files without reviewable source, and vendored or minified code.
Network
Calls npm and PyPI attestation/provenance endpoints for package checks. Path checks are local.
Operational note
Network failures fail safe; it flags only confident no-attestation responses.
Profiles
fast, balanced, deep
Requirements
files, public-network

CODEOWNERS coverage

Checks whether changed files cross ownership domains not owned by the PR author.

codeownersgithub-light
Looks at
.github/CODEOWNERS, CODEOWNERS, or docs/CODEOWNERS plus the changed file list.
Reports
Owned files where the PR author is not listed, plus ownership blast-radius context in the rendered brief.
Network
Calls the GitHub API. Requires author plus GitHub token forwarding for private repos.
Operational note
Leave REES_FORWARD_GITHUB_TOKEN unset/false to disable token forwarding; this analyzer will then skip when it cannot read CODEOWNERS.
Profiles
balanced, deep
Requirements
files, author, github-token

Secrets or PII in logs

Flags added code that writes sensitive values to logs or stdout.

secretLoglocal
Looks at
Added lines that call console, logger, process.stdout, or process.stderr sinks.
Reports
File, line, sink, and category: secret, pii, or request-object.
Network
Pure local analyzer. No external network call.
Operational note
String log messages are stripped before matching, so ordinary prose like password reset is not enough to trigger.
Profiles
fast, balanced, deep
Requirements
files

Heavy binary assets

Finds large binary assets added to a PR, and growth deltas when base size is available.

assetWeightgithub-heavy
Looks at
Changed binary assets such as images, fonts, archives, PDFs, videos, and compiled binaries.
Reports
Path, size, delta, and whether the asset was added or grown.
Network
Calls the GitHub API. Requires headSha and GitHub token forwarding for private repos.
Operational note
Added asset detection works from headSha. Growth comparison needs baseSha in the enrichment request.
Profiles
balanced, deep
Requirements
files, github-token, head-sha

Typosquat and dependency-confusion risk

Checks newly added dependency names for near-miss and publicly claimable package names.

typosquatregistry
Looks at
Newly added npm and PyPI dependency names.
Reports
Typosquat matches against popular packages, or unscoped names missing from the public registry.
Network
Uses bundled popular-package lists plus npm/PyPI registry lookups for dependency-confusion checks.
Operational note
Scoped npm packages are treated as namespace-protected and are not flagged as typosquats.
Profiles
fast, balanced, deep
Requirements
files, public-network

Head commit signature

Checks head commit signature and public author provenance.

commitSignaturegithub-light
Looks at
The head commit plus a bounded slice of recent repository commit history.
Reports
GitHub signature verification reason and public boolean provenance flags.
Network
Calls the GitHub API. Requires headSha and GitHub token forwarding for private repos.
Operational note
Does not expose emails or private identity data; only public GitHub commit facts are surfaced.
Profiles
balanced, deep
Requirements
github-token, head-sha

IaC / config misconfiguration

Flags risky IaC/config changes such as public buckets or insecure CORS.

iacMisconfiglocal
Looks at
Added lines in Docker, Terraform, YAML, JSON, and similar config files.
Reports
File, line, and public-safe rule kind.
Network
Pure local analyzer. No external network call.
Operational note
Reports configuration shapes only; it does not inspect private runtime config.
Profiles
fast, balanced, deep
Requirements
files

Native-build dependencies

Flags newly-added dependencies that compile native code or ship sdist-only builds.

nativeBuildregistry
Looks at
New npm/PyPI dependency versions.
Reports
Package, version, ecosystem, native-build kind, and public-safe reason.
Network
Calls npm and PyPI registries. No GitHub token required.
Operational note
Registry JSON is capped so large package metadata cannot monopolize REES memory.
Profiles
fast, balanced, deep
Requirements
files, public-network

Author and change-area history

Shows public author track record, same-file PR history, and linked-issue alignment.

historygithub-heavy
Looks at
The PR author, changed file paths, linked issue text, added diff lines, and bounded GitHub history lookups.
Reports
Prior PR counts, similar past PRs, linked issue coverage, and partial/degraded status.
Network
Calls GitHub API with bounded fanout. Requires author plus GitHub token forwarding for private repos.
Operational note
Returns partial findings when GitHub lookups are skipped, capped, or budget-exhausted.
Profiles
balanced, deep
Requirements
files, github-token, author

Doc-comment drift

Flags a JSDoc/TSDoc @param that names a parameter the PR removed or renamed but left documented.

docCommentDriftgithub-light
Looks at
Changed TS/JS source files at headSha, comparing each named function's old vs new parameter list.
Reports
File, line, function, and the stale parameter name(s).
Network
Calls the GitHub API for changed file contents. Requires headSha and token forwarding for private repos.
Operational note
Conservative: only named function declarations with confidently-enumerable params; non-parameter signature edits are not reported.
Profiles
balanced, deep
Requirements
files, github-token, head-sha

Near-verbatim duplicated code

Flags added code that is a near-verbatim duplicate of a block already present elsewhere in the repo.

duplicationgithub-light
Looks at
Added diff hunks in changed source files compared against same-extension repo files fetched from the git tree at headSha.
Reports
The head file:line, the existing source file:line it duplicates, and the matched line count.
Network
Calls the GitHub API for the git tree and candidate blobs. Requires headSha and token forwarding for private repos.
Operational note
Conservative: trivial/boilerplate lines are dropped and a long contiguous run is required, so incidental overlap is not flagged. Never returns code content.
Profiles
balanced, deep
Requirements
files, github-token, head-sha

Back to REES setup

Use REES enrichment for enablement, auth, troubleshooting, and where the brief appears in the review result.