Skip to main content

ovecc review

What a change introduced between two snapshots: new findings with file:line, new dependency cycles with their concrete import witness edges, and added duplication — in one deterministic call. The actionable companion to gate, which reports only counts.

Usage: ovecc review [OPTIONS] [BASE] [HEAD]

BASE defaults to previous, HEAD to latest; both accept snapshot ids or Git refs.

Example — a failing review

$ ovecc review
Review: fail (risk Critical) snapshot:85ee2372… -> snapshot:5ab78093…
- 1 new dependency cycle(s): core ↔ services
- 6 new security finding(s)
- 1 new high-complexity function(s)
- 2 new dead-code finding(s)
- 1 new duplication(s)
New cycles:
core <-> services
src/core/db.ts:2 imports ../services/billing -> src/services/billing.ts
src/services/billing.ts:1 imports ../core/db -> src/core/db.ts
New findings:
[Critical] HardcodedSecret (src/services/billing.ts:5 (Stripe secret key)) Hardcoded secret: Stripe secret key
[Critical] TaintedFlow (src/routes/api.ts:55 (sink: eval)) Potential tainted flow: POST /admin/eval -> eval (eval)
[High] HighComplexity (src/services/orders.ts:8 (cyclomatic 24, cognitive 32)) High complexity: validateOrder (cyclomatic 24, cognitive 32)
[High] CrossDomainDependency (src/core/db.ts:2 (../services/billing)) core -> services
[Low] UnusedExport (src/services/reports.ts:16) Unused export: refundSummary in src/services/reports.ts
New duplications:
89 tokens / 12 lines / 2 copies
src/services/reports.ts:3-14
src/services/reports.ts:16-27

Example — a passing review

$ ovecc review
Review: pass (risk Low) snapshot:b3fb2f1b… -> snapshot:95c00fe4…
- no new defects introduced by this change

The PR comment

--format markdown renders a ready-to-post document with per-finding rules and machine remediation actions:

# Change review: FAIL

- Risk: **Critical**
- Files: +2 added, ~3 modified
...
- **[Critical] HardcodedSecret** (src/services/billing.ts:5 (Stripe secret key)) —
Hardcoded secret: Stripe secret key _(rule `security/secret`)_ · action: `rotate_and_externalize_secret`

Options

OptionDefaultEffect
[BASE] [HEAD]previous latestSnapshot ids or Git refs
--fail-on <medium|high|any>anyExit 1 when the change crosses the threshold

Plus the global options.

Semantics

  • Content identity, not line numbers. Findings are matched by enclosing symbol / pattern detail, so a pre-existing finding that merely moved down the file is not blamed on the change.
  • Both snapshots must exist. Index the base, make the change, index again — see the PR loop. could not resolve base snapshot 'previous' means the repository has fewer than two snapshots.
  • Advisory hygiene: if you run audit --fetch between two indexes, the newly-recorded advisories will appear as new VulnerableDependency findings in the next review. Fetch advisories before the base index (or on a schedule) to keep reviews change-scoped.
  • Exit 1 still prints the complete result — the failing check explains itself.