crates.io version

See what your diff
really changes

Code review that understands your architecture.
Not another GPT wrapper.

$ cargo install revet
View on GitHub GitHub Action Docs

How it works

Three layers. One command.

80% of checks are deterministic — fast, free, reproducible. LLM reasoning is opt-in and never sees your raw source.

01
Code Intelligence Graph
always runs · no LLM

Parses every file via Tree-sitter into AST and builds a full dependency graph. Detects cross-file breaking changes instantly.

Cross-file impact
Dead code detection
Circular deps
< 2s / 10k files
02
Domain Analyzers
rule-based · pluggable

9 specialized modules covering security, ML, infrastructure, React, async, dependencies, error handling, and duplication. All deterministic, all toggleable.

Security & secrets
ML pipeline skew
SQL injection
React hooks
Async patterns
Duplication
Custom rules
03
LLM Reasoning
opt-in · --ai

Only invoked when you ask. Receives structured graph context, never your raw source code. Bring your own API key — Anthropic, OpenAI, or run locally with Ollama.

Your API key
Claude / OpenAI / Ollama
Air-gapped mode
revet — terminal

Language Support

11 languages.
One tool.

Powered by Tree-sitter for fast, accurate AST parsing. Functions, classes, interfaces, generics, decorators — fully understood across every major language.

Python
.py
TypeScript
.ts .tsx .js .jsx
Go
.go
Java
.java
Rust
.rs
C#
.cs
Kotlin
.kt .kts
Ruby
.rb .rake
PHP
.php
Swift
.swift
C / C++
.c .h .cpp .cc .hpp

Domain Analyzers

Nine specialized modules.

Each module targets a specific class of bugs. Enable exactly what your stack needs in .revet.toml. Three are on by default; the rest are opt-in.

SEC- on by default
Security & Secrets
Hardcoded API keys, AWS credentials, private keys, connection strings, and generic secrets.
SQL- on by default
SQL Injection
Unsafe query construction via string concatenation, f-strings, and template literals.
ML- on by default
ML Pipeline
Data leakage, train/serve skew, non-reproducible splits, and hardcoded data paths.
INFRA- opt-in
Infrastructure
Wildcard IAM actions, public S3 ACLs, open security groups, and privileged containers.
HOOKS- opt-in
React Hooks
Rules of Hooks violations, missing dependency arrays, missing key props.
ASYNC- opt-in
Async Patterns
Async forEach callbacks, unhandled promise chains, and floating coroutines.
DEP- opt-in
Dependency Hygiene
Wildcard imports, unpinned versions, and git dependencies in manifests.
ERR- opt-in
Error Handling
Empty catch blocks, bare except, .unwrap() in Rust, discarded errors in Go.
DUP- opt-in
Duplication
Sliding-window hash detects copy-paste blocks across files. Configurable minimum block size.
CUSTOM- user-defined
Custom Rules
Regex rules in .revet.toml with optional auto-fix. No Rust required.

Usage

One tool.
Many modes.

From a quick diff review to continuous watch mode and inline GitHub PR comments — all from the same binary.

$ revet review

Review changes vs main. Builds graph, runs all enabled modules.

$ revet review --full .

Review the entire codebase, not just the diff.

$ revet diff main

Findings only on lines you changed. Perfect for PR reviews.

$ revet review --fix

Auto-remediate fixable findings in-place.

$ revet watch

Continuous mode — re-analyzes on every file save.

$ revet baseline

Snapshot current findings. Future runs only report new ones.

$ revet review --ai

LLM reasoning for ambiguous findings. Bring your own API key.

$ revet explain SEC-001 --ai

Deep explanation of any finding ID.

$ revet review --format sarif

SARIF 2.1.0 output for GitHub Code Scanning.

$ revet review --format github

Inline annotations for GitHub Actions workflows.

$ revet review --post-comment

Post findings as inline comments on a GitHub PR.

$ revet review --format json

Machine-readable JSON for custom tooling and dashboards.

$ revet review --gate error:0

Quality gate — fail CI if finding counts exceed per-severity limits.

$ revet stats

Clean run rate, week-over-week trend, top noisy rules across all past runs.

$ revet report

Generate a self-contained HTML quality report with trend charts and debt estimate.

$ revet config check

Validate .revet.toml without running analysis. Catches regex errors, unknown fields.

GitHub Actions Marketplace

CI-native.
3 lines.

Drop revet into any GitHub workflow. SARIF upload to Code Scanning included — no extra configuration needed.

SARIF → Code Scanning
Pre-built binary · no compile step
Linux · macOS · Windows
Quality gate · fail on threshold
yaml — .github/workflows/review.yml
name: Code Review on: [pull_request] jobs: revet: runs-on: ubuntu-latest permissions: contents: read security-events: write # for SARIF upload steps: - uses: actions/checkout@v4 - uses: umitkavala/revet@v0.2.7 with: gate: 'error:0' # fail if any errors sarif-upload: 'true' # → Code Scanning