Self-hosting

REES analyzer reference

Every analyzer name you can put in REES_ANALYZERS, what it inspects, what it reports, and whether it needs network or GitHub token access.

REES runs analyzers independently. A failed analyzer is marked degraded, completed analyzers still return findings, and an empty result produces no user-facing brief. Use exact analyzer names in REES_ANALYZERS. A typo-only analyzer list fails closed with no analyzers selected.

.env

# Unset, all, or * runs the full registry.
REES_ANALYZERS=all

# A subset runs only the named analyzers.
REES_ANALYZERS=secret,actionPin,redos

# Invalid names are ignored; if none are valid, REES runs no analyzers.
REES_ANALYZERS=unknownName

All analyzer names

REES_ANALYZERS names

dependency
lockfileDrift
secret
license
installScript
actionPin
eol
redos
provenance
codeowners
secretLog
assetWeight
typosquat

Network and token model

Pure analyzers: secret, actionPin, redos, and secretLog work only from the diff/files sent to REES.
Public registry analyzers: dependency, lockfileDrift, license, installScript, eol, provenance, and typosquat call public package or lifecycle APIs.
GitHub API analyzers: codeowners and assetWeight need author/head metadata and GitHub token forwarding when the repo is private.

If the REES endpoint is outside your trust boundary, set REES_FORWARD_GITHUB_TOKEN=false. REES will still receive the PR diff/files when enabled, but token-aware analyzers will skip GitHub API reads they cannot authenticate.

Analyzer details

Dependency vulnerabilities

Checks changed direct dependency versions against OSV.dev.

dependency

Looks at: Added or upgraded dependencies in package.json, requirements.txt, and go.mod diffs.
Reports: Known CVEs with severity, advisory id, summary, and fixed version when OSV publishes one.
Network: Calls OSV.dev. No GitHub token required.
Operational note: Manifest-only by design; use lockfileDrift for transitive lockfile changes.

Lockfile drift

Finds vulnerable transitive dependency versions introduced only through lockfile changes.

lockfileDrift

Looks at: package-lock.json, yarn.lock, and poetry.lock patches, excluding packages already named in a changed manifest.
Reports: Lockfile line, package/version, ecosystem, direction, and OSV vulnerability details.
Network: Calls OSV.dev querybatch. No GitHub token required.
Operational note: Useful when a PR does not touch a top-level manifest but changes resolved dependency pins.

Hardcoded secrets

Scans added diff lines for credential-shaped values.

secret

Looks at: Added lines in every changed file patch.
Reports: File, line, secret kind, and confidence. The matched value is never returned.
Network: Pure local analyzer. No external network call.
Operational note: High-confidence patterns are treated as rotate-and-remove candidates; generic assignments stay verify-first.

Dependency licenses

Checks licenses for newly added or upgraded dependencies.

license

Looks at: The same direct dependency changes used by the dependency analyzer.
Reports: Copyleft or unknown license classifications that need maintainer compatibility review.
Network: Calls deps.dev. No GitHub token required.
Operational note: Permissive and otherwise-known licenses are intentionally silent.

npm install scripts

Flags npm packages that run lifecycle hooks during install.

installScript

Looks at: New or upgraded npm dependencies.
Reports: Package, version, hook names, and publish date when available.
Network: Calls the npm registry. No GitHub token required.
Operational note: The script body is not returned, which keeps the brief compact and non-executable.

Unpinned GitHub Actions

Detects third-party workflow actions pinned to mutable tags or branches.

actionPin

Looks at: Added uses: lines in .github/workflows YAML patches.
Reports: Workflow file, line, action, and mutable ref.
Network: Pure local analyzer. No external network call.
Operational note: Official actions/* and github/* actions are excluded to keep the signal focused.

End-of-life runtimes

Checks changed runtime and base-image pins against EOL calendars.

eol

Looks at: Dockerfile FROM lines, .nvmrc, and go.mod runtime pins.
Reports: File, product, version, EOL date, and whether the release is already EOL or close to EOL.
Network: Calls endoflife.date. No GitHub token required.
Operational note: Only changed pins are checked; existing old runtimes outside the PR are not reported.

ReDoS-prone regex

Finds newly introduced regex shapes that can catastrophically backtrack.

redos

Looks at: Regex literals and RegExp constructor string arguments in added lines.
Reports: File, line, and a truncated vulnerable pattern.
Network: Pure local analyzer. No external network call.
Operational note: Structural and precision-first; it flags nested unbounded quantifier shapes such as (a+)+.

Provenance and committed artifacts

Checks package attestations and reviewability of newly added artifacts.

provenance

Looks at: New npm/PyPI dependency versions plus added binary, vendored, and minified files.
Reports: Missing attestations, binary files without reviewable source, and vendored or minified code.
Network: Calls npm and PyPI attestation/provenance endpoints for package checks. Path checks are local.
Operational note: Network failures fail safe; it flags only confident no-attestation responses.

CODEOWNERS coverage

Checks whether changed files cross ownership domains not owned by the PR author.

codeowners

Looks at: .github/CODEOWNERS, CODEOWNERS, or docs/CODEOWNERS plus the changed file list.
Reports: Owned files where the PR author is not listed, plus ownership blast-radius context in the rendered brief.
Network: Calls the GitHub API. Requires author plus GitHub token forwarding for private repos.
Operational note: Set REES_FORWARD_GITHUB_TOKEN=false to disable token forwarding; this analyzer will then skip when it cannot read CODEOWNERS.

Secrets or PII in logs

Flags added code that writes sensitive values to logs or stdout.

secretLog

Looks at: Added lines that call console, logger, process.stdout, or process.stderr sinks.
Reports: File, line, sink, and category: secret, pii, or request-object.
Network: Pure local analyzer. No external network call.
Operational note: String log messages are stripped before matching, so ordinary prose like password reset is not enough to trigger.

Heavy binary assets

Finds large binary assets added to a PR, and growth deltas when base size is available.

assetWeight

Looks at: Changed binary assets such as images, fonts, archives, PDFs, videos, and compiled binaries.
Reports: Path, size, delta, and whether the asset was added or grown.
Network: Calls the GitHub API. Requires headSha and GitHub token forwarding for private repos.
Operational note: Added asset detection works from headSha. Growth comparison needs baseSha in the enrichment request.

Typosquat and dependency-confusion risk

Checks newly added dependency names for near-miss and publicly claimable package names.

typosquat

Looks at: Newly added npm and PyPI dependency names.
Reports: Typosquat matches against popular packages, or unscoped names missing from the public registry.
Network: Uses bundled popular-package lists plus npm/PyPI registry lookups for dependency-confusion checks.
Operational note: Scoped npm packages are treated as namespace-protected and are not flagged as typosquats.

Back to REES setup

Use REES enrichment for enablement, auth, troubleshooting, and where the brief appears in the review result.

← PreviousREES enrichment Next →RAG indexing