ovecc review
What a change introduced between two snapshots: new findings with file:line,
new dependency cycles with their concrete import witness edges, and added
duplication — in one deterministic call. The actionable companion to
gate, which reports only counts.
Usage: ovecc review [OPTIONS] [BASE] [HEAD]
BASE defaults to previous, HEAD to latest; both accept snapshot ids or Git
refs.
Example — a failing review
$ ovecc review
Review: fail (risk Critical) snapshot:85ee2372… -> snapshot:5ab78093…
- 1 new dependency cycle(s): core ↔ services
- 6 new security finding(s)
- 1 new high-complexity function(s)
- 2 new dead-code finding(s)
- 1 new duplication(s)
New cycles:
core <-> services
src/core/db.ts:2 imports ../services/billing -> src/services/billing.ts
src/services/billing.ts:1 imports ../core/db -> src/core/db.ts
New findings:
[Critical] HardcodedSecret (src/services/billing.ts:5 (Stripe secret key)) Hardcoded secret: Stripe secret key
[Critical] TaintedFlow (src/routes/api.ts:55 (sink: eval)) Potential tainted flow: POST /admin/eval -> eval (eval)
[High] HighComplexity (src/services/orders.ts:8 (cyclomatic 24, cognitive 32)) High complexity: validateOrder (cyclomatic 24, cognitive 32)
[High] CrossDomainDependency (src/core/db.ts:2 (../services/billing)) core -> services
[Low] UnusedExport (src/services/reports.ts:16) Unused export: refundSummary in src/services/reports.ts
New duplications:
89 tokens / 12 lines / 2 copies
src/services/reports.ts:3-14
src/services/reports.ts:16-27
Example — a passing review
$ ovecc review
Review: pass (risk Low) snapshot:b3fb2f1b… -> snapshot:95c00fe4…
- no new defects introduced by this change
The PR comment
--format markdown renders a ready-to-post document with per-finding rules and
machine remediation actions:
# Change review: FAIL
- Risk: **Critical**
- Files: +2 added, ~3 modified
...
- **[Critical] HardcodedSecret** (src/services/billing.ts:5 (Stripe secret key)) —
Hardcoded secret: Stripe secret key _(rule `security/secret`)_ · action: `rotate_and_externalize_secret`
Options
| Option | Default | Effect |
|---|---|---|
[BASE] [HEAD] | previous latest | Snapshot ids or Git refs |
--fail-on <medium|high|any> | any | Exit 1 when the change crosses the threshold |
Plus the global options.
Semantics
- Content identity, not line numbers. Findings are matched by enclosing symbol / pattern detail, so a pre-existing finding that merely moved down the file is not blamed on the change.
- Both snapshots must exist. Index the base, make the change, index again — see
the PR loop.
could not resolve base snapshot 'previous'means the repository has fewer than two snapshots. - Advisory hygiene: if you run
audit --fetchbetween two indexes, the newly-recorded advisories will appear as newVulnerableDependencyfindings in the next review. Fetch advisories before the base index (or on a schedule) to keep reviews change-scoped. - Exit
1still prints the complete result — the failing check explains itself.
Related
- The PR review loop — the full workflow
gate·diff