REES analyzer reference
Every analyzer name you can put in REES_ANALYZERS, what it inspects, what it reports, and whether it needs network or GitHub token access.
REES runs analyzers independently. A failed analyzer is marked degraded, completed analyzers still return findings, and an empty result produces no user-facing brief. Use exact analyzer names in REES_ANALYZERS. A typo-only analyzer list fails closed with no analyzers selected. Leave REES_PROFILE unset for the balanced profile, or setfast during incidents to favor local and low-cost registry checks.
# Unset, all, or * runs the full registry.
REES_ANALYZERS=all
# A subset runs only the named analyzers.
REES_ANALYZERS=secret,actionPin,redos
# Invalid names are ignored; if none are valid, REES runs no analyzers.
REES_ANALYZERS=unknownNameProfiles
fast
- Cost classes
- local, registry
- Concurrency caps
- local:8, registry:2
- Response reserve
- 500 ms
balanced
default- Cost classes
- local, registry, github-light, github-heavy, tooling
- Concurrency caps
- local:8, registry:3, github-light:2, github-heavy:1, tooling:1
- Response reserve
- 750 ms
deep
- Cost classes
- local, registry, github-light, github-heavy, tooling
- Concurrency caps
- local:8, registry:4, github-light:2, github-heavy:1, tooling:1
- Response reserve
- 1000 ms
All analyzer names
dependency
lockfileDrift
secret
license
installScript
heavyDependency
actionPin
eol
redos
provenance
codeowners
secretLog
assetWeight
typosquat
commitSignature
iacMisconfig
nativeBuild
history
docCommentDrift
duplicationNetwork and token model
- Pure analyzers
- secret, actionPin, redos, secretLog, and iacMisconfig work only from the diff/files sent to REES.
- Public registry analyzers
- dependency, lockfileDrift, license, installScript, heavyDependency, eol, provenance, typosquat, and nativeBuild call public package or lifecycle APIs.
- GitHub API analyzers
- codeowners, assetWeight, commitSignature, and history need author/head metadata and GitHub token forwarding when the repo is private.
REES_FORWARD_GITHUB_TOKEN=false. REES will still receive the PR diff/files when enabled, but token-aware analyzers will skip GitHub API reads they cannot authenticate.Analyzer details
Dependency vulnerabilities
Checks changed direct dependency versions against OSV.dev.
dependencyregistry- Looks at
- Added or upgraded dependencies in package.json, requirements.txt, and go.mod diffs.
- Reports
- Known CVEs with severity, advisory id, summary, and fixed version when OSV publishes one.
- Network
- Calls OSV.dev. No GitHub token required.
- Operational note
- Manifest-only by design; use lockfileDrift for transitive lockfile changes.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
Lockfile drift
Finds vulnerable transitive dependency versions introduced only through lockfile changes.
lockfileDriftregistry- Looks at
- package-lock.json, yarn.lock, and poetry.lock patches, excluding packages already named in a changed manifest.
- Reports
- Lockfile line, package/version, ecosystem, direction, and OSV vulnerability details.
- Network
- Calls OSV.dev querybatch. No GitHub token required.
- Operational note
- Useful when a PR does not touch a top-level manifest but changes resolved dependency pins.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
Hardcoded secrets
Scans added diff lines for credential-shaped values.
secretlocal- Looks at
- Added lines in every changed file patch.
- Reports
- File, line, secret kind, and confidence. The matched value is never returned.
- Network
- Pure local analyzer. No external network call.
- Operational note
- High-confidence patterns are treated as rotate-and-remove candidates; generic assignments stay verify-first.
- Profiles
- fast, balanced, deep
- Requirements
- files
Dependency licenses
Checks licenses for newly added or upgraded dependencies.
licenseregistry- Looks at
- The same direct dependency changes used by the dependency analyzer.
- Reports
- Copyleft or unknown license classifications that need maintainer compatibility review.
- Network
- Calls deps.dev. No GitHub token required.
- Operational note
- Permissive and otherwise-known licenses are intentionally silent.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
npm install scripts
Flags npm packages that run lifecycle hooks during install.
installScriptregistry- Looks at
- New or upgraded npm dependencies.
- Reports
- Package, version, hook names, and publish date when available.
- Network
- Calls the npm registry. No GitHub token required.
- Operational note
- The script body is not returned, which keeps the brief compact and non-executable.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
Heavy dependencies used trivially
Flags materially heavy npm dependencies used only a few times in changed lines.
heavyDependencyregistry- Looks at
- New or upgraded npm dependencies plus direct uses in added lines.
- Reports
- Package size, dependency count, usage count, and line-cited usage locations.
- Network
- Calls Bundlephobia. No GitHub token required.
- Operational note
- Only reports packages with trivial direct usage so the finding stays actionable.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
Unpinned GitHub Actions
Detects third-party workflow actions pinned to mutable tags or branches.
actionPinlocal- Looks at
- Added uses: lines in .github/workflows YAML patches.
- Reports
- Workflow file, line, action, and mutable ref.
- Network
- Pure local analyzer. No external network call.
- Operational note
- Official actions/* and github/* actions are excluded to keep the signal focused.
- Profiles
- fast, balanced, deep
- Requirements
- files
End-of-life runtimes
Checks changed runtime and base-image pins against EOL calendars.
eolregistry- Looks at
- Dockerfile FROM lines, .nvmrc, and go.mod runtime pins.
- Reports
- File, product, version, EOL date, and whether the release is already EOL or close to EOL.
- Network
- Calls endoflife.date. No GitHub token required.
- Operational note
- Only changed pins are checked; existing old runtimes outside the PR are not reported.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
ReDoS-prone regex
Finds newly introduced regex shapes that can catastrophically backtrack.
redoslocal- Looks at
- Regex literals and RegExp constructor string arguments in added lines.
- Reports
- File, line, and a truncated vulnerable pattern.
- Network
- Pure local analyzer. No external network call.
- Operational note
- Structural and precision-first; it flags nested unbounded quantifier shapes such as (a+)+.
- Profiles
- fast, balanced, deep
- Requirements
- files
Provenance and committed artifacts
Checks package attestations and reviewability of newly added artifacts.
provenanceregistry- Looks at
- New npm/PyPI dependency versions plus added binary, vendored, and minified files.
- Reports
- Missing attestations, binary files without reviewable source, and vendored or minified code.
- Network
- Calls npm and PyPI attestation/provenance endpoints for package checks. Path checks are local.
- Operational note
- Network failures fail safe; it flags only confident no-attestation responses.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
CODEOWNERS coverage
Checks whether changed files cross ownership domains not owned by the PR author.
codeownersgithub-light- Looks at
- .github/CODEOWNERS, CODEOWNERS, or docs/CODEOWNERS plus the changed file list.
- Reports
- Owned files where the PR author is not listed, plus ownership blast-radius context in the rendered brief.
- Network
- Calls the GitHub API. Requires author plus GitHub token forwarding for private repos.
- Operational note
- Leave REES_FORWARD_GITHUB_TOKEN unset/false to disable token forwarding; this analyzer will then skip when it cannot read CODEOWNERS.
- Profiles
- balanced, deep
- Requirements
- files, author, github-token
Secrets or PII in logs
Flags added code that writes sensitive values to logs or stdout.
secretLoglocal- Looks at
- Added lines that call console, logger, process.stdout, or process.stderr sinks.
- Reports
- File, line, sink, and category: secret, pii, or request-object.
- Network
- Pure local analyzer. No external network call.
- Operational note
- String log messages are stripped before matching, so ordinary prose like password reset is not enough to trigger.
- Profiles
- fast, balanced, deep
- Requirements
- files
Heavy binary assets
Finds large binary assets added to a PR, and growth deltas when base size is available.
assetWeightgithub-heavy- Looks at
- Changed binary assets such as images, fonts, archives, PDFs, videos, and compiled binaries.
- Reports
- Path, size, delta, and whether the asset was added or grown.
- Network
- Calls the GitHub API. Requires headSha and GitHub token forwarding for private repos.
- Operational note
- Added asset detection works from headSha. Growth comparison needs baseSha in the enrichment request.
- Profiles
- balanced, deep
- Requirements
- files, github-token, head-sha
Typosquat and dependency-confusion risk
Checks newly added dependency names for near-miss and publicly claimable package names.
typosquatregistry- Looks at
- Newly added npm and PyPI dependency names.
- Reports
- Typosquat matches against popular packages, or unscoped names missing from the public registry.
- Network
- Uses bundled popular-package lists plus npm/PyPI registry lookups for dependency-confusion checks.
- Operational note
- Scoped npm packages are treated as namespace-protected and are not flagged as typosquats.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
Head commit signature
Checks head commit signature and public author provenance.
commitSignaturegithub-light- Looks at
- The head commit plus a bounded slice of recent repository commit history.
- Reports
- GitHub signature verification reason and public boolean provenance flags.
- Network
- Calls the GitHub API. Requires headSha and GitHub token forwarding for private repos.
- Operational note
- Does not expose emails or private identity data; only public GitHub commit facts are surfaced.
- Profiles
- balanced, deep
- Requirements
- github-token, head-sha
IaC / config misconfiguration
Flags risky IaC/config changes such as public buckets or insecure CORS.
iacMisconfiglocal- Looks at
- Added lines in Docker, Terraform, YAML, JSON, and similar config files.
- Reports
- File, line, and public-safe rule kind.
- Network
- Pure local analyzer. No external network call.
- Operational note
- Reports configuration shapes only; it does not inspect private runtime config.
- Profiles
- fast, balanced, deep
- Requirements
- files
Native-build dependencies
Flags newly-added dependencies that compile native code or ship sdist-only builds.
nativeBuildregistry- Looks at
- New npm/PyPI dependency versions.
- Reports
- Package, version, ecosystem, native-build kind, and public-safe reason.
- Network
- Calls npm and PyPI registries. No GitHub token required.
- Operational note
- Registry JSON is capped so large package metadata cannot monopolize REES memory.
- Profiles
- fast, balanced, deep
- Requirements
- files, public-network
Author and change-area history
Shows public author track record, same-file PR history, and linked-issue alignment.
historygithub-heavy- Looks at
- The PR author, changed file paths, linked issue text, added diff lines, and bounded GitHub history lookups.
- Reports
- Prior PR counts, similar past PRs, linked issue coverage, and partial/degraded status.
- Network
- Calls GitHub API with bounded fanout. Requires author plus GitHub token forwarding for private repos.
- Operational note
- Returns partial findings when GitHub lookups are skipped, capped, or budget-exhausted.
- Profiles
- balanced, deep
- Requirements
- files, github-token, author
Doc-comment drift
Flags a JSDoc/TSDoc @param that names a parameter the PR removed or renamed but left documented.
docCommentDriftgithub-light- Looks at
- Changed TS/JS source files at headSha, comparing each named function's old vs new parameter list.
- Reports
- File, line, function, and the stale parameter name(s).
- Network
- Calls the GitHub API for changed file contents. Requires headSha and token forwarding for private repos.
- Operational note
- Conservative: only named function declarations with confidently-enumerable params; non-parameter signature edits are not reported.
- Profiles
- balanced, deep
- Requirements
- files, github-token, head-sha
Near-verbatim duplicated code
Flags added code that is a near-verbatim duplicate of a block already present elsewhere in the repo.
duplicationgithub-light- Looks at
- Added diff hunks in changed source files compared against same-extension repo files fetched from the git tree at headSha.
- Reports
- The head file:line, the existing source file:line it duplicates, and the matched line count.
- Network
- Calls the GitHub API for the git tree and candidate blobs. Requires headSha and token forwarding for private repos.
- Operational note
- Conservative: trivial/boilerplate lines are dropped and a long contiguous run is required, so incidental overlap is not flagged. Never returns code content.
- Profiles
- balanced, deep
- Requirements
- files, github-token, head-sha
Back to REES setup
Use REES enrichment for enablement, auth, troubleshooting, and where the brief appears in the review result.