kern review
Deep static analysis that understands your code at the concept level. 68 AST-based rules + 5 concept rules. TypeScript and Python.
Quick start
# Review a directory
kern review src/ --recursive
# JSON output for CI
kern review src/ --json
# SARIF for GitHub Security tab
kern review src/ --sarif > results.sarif
# With LLM-assisted analysis
kern review src/ --llm
# Enforce minimum coverage
kern review src/ --enforce --min-coverage=80Rule layers
Rules are organized in layers. Base + security + dead-logic are always active. Framework rules activate by target.
| Layer | Rules | When active |
|---|---|---|
| Base | 13 | Always |
| Security | 8 | Always |
| Security v2 | 6 | Always |
| Security v3 | 5 | Always |
| Dead Logic | 8 | Always |
| React | 6 | nextjs, tailwind, web, native |
| Next.js | 3 | nextjs only |
| Vue | 4 | vue, nuxt |
| Express | 3 | express only |
Concept rules
Beyond syntax linting, kern review understands universal code concepts: entrypoints, effects, guards, state mutations, and boundaries.
- unguarded-effect — Side effect (fetch, db, fs) without try/catch or error handling
- boundary-mutation — State mutated across module boundary
- ignored-error — Error caught but not handled (empty catch)
- illegal-dependency — Cross-module dependency without proper import
- unrecovered-effect — Effect can fail without recovery path
Output formats
--json— Machine-readable JSON findings--sarif— SARIF format for GitHub Security tab--summary— Human-readable summary--llm— LLM-exportable format (5x smaller IR)
Configuration
// kern.config.ts
export default {
review: {
showConfidence: true, // Show confidence scores
minConfidence: 0, // 0-1, filter low-confidence findings
maxComplexity: 15, // Cognitive complexity threshold
}
}