Frequently Asked Questions
Everything you need to know about Repotoire.
What is Repotoire?
Repotoire is a graph-powered code analysis CLI that detects architectural issues, security vulnerabilities, and code smells across your codebase. It builds a knowledge graph of your code using petgraph and tree-sitter, then runs 106 pure Rust detectors to find problems that traditional file-by-file linters miss — like circular dependencies, god classes, architectural bottlenecks, and hidden coupling.
How is Repotoire different from ESLint or SonarQube?
Traditional linters like ESLint analyze files in isolation — they can catch syntax errors, style violations, and per-file bugs. Repotoire analyzes relationships between files by building a graph of your entire codebase. This lets it detect cross-file issues like circular dependencies, architectural bottlenecks, and coupling problems that no file-by-file linter can see. It complements ESLint rather than replacing it.
What languages does Repotoire support?
Repotoire supports 9 languages: Python, TypeScript, JavaScript (including TSX/JSX), Rust, Go, Java, C#, C, and C++. All parsing is done via tree-sitter grammars compiled into the binary — no external parser dependencies needed.
How do I install Repotoire?
Install via Homebrew (brew install repotoire), cargo install (cargo install repotoire), cargo-binstall for prebuilt binaries (cargo binstall repotoire), or npm (npx repotoire). It's a single binary with zero runtime dependencies.
Is Repotoire free?
The CLI is free and open source. You can analyze any codebase locally without limits. The web dashboard (at repotoire.com) has free and paid tiers for team features, history, and CI/CD integration.
What are the 106 detectors?
Repotoire has 73 default detectors and 33 deep-scan detectors (enabled with --all-detectors). Categories include: 23 security detectors (SQL injection, XSS, SSRF, secrets detection), 25 code quality detectors (empty catch, deep nesting, magic numbers), 12 graph-based code smell detectors (god class, feature envy, circular dependencies), 12 architecture detectors (bottlenecks, PageRank drift, hidden coupling), and specialized detectors for AI-generated code, ML/data science, Rust, and async patterns.
How does the scoring work?
Repotoire uses a three-pillar scoring system: Structure (40%), Quality (30%), and Architecture (30%). Findings are weighted by severity (Critical=5, High=2, Medium=0.5, Low=0.1). Graph-derived bonuses reward good practices like high modularity, clean dependencies, and balanced complexity distribution. Scores range from F to A+, with 13 grade levels.
How fast is Repotoire?
Cold analysis of a typical codebase takes 10-20 seconds. Subsequent runs use incremental caching and typically complete in 1-2 seconds for single-file changes. All parsing and detection runs in parallel via rayon. Files over 2MB are automatically skipped.
Does Repotoire work in CI/CD?
Yes. There's an official GitHub Action (Zach-hammad/repotoire-action@v1) that runs analysis on PRs, posts comments with findings, uploads SARIF for GitHub Code Scanning, and supports quality gates (--fail-on high to block merges). SARIF 2.1.0 output works with any CI system that supports it.
What output formats does Repotoire support?
Five formats: text (default, with themed narrative output), JSON (machine-readable), HTML (standalone report with SVG architecture map, treemap, and charts), SARIF 2.1.0 (GitHub Code Scanning compatible), and Markdown. Use --format to select.
Can I suppress specific findings?
Yes. Add // repotoire:ignore on the line before a finding to suppress all detectors, or // repotoire:ignore[detector-name] to suppress a specific detector. Supports //, #, /*, and -- comment styles. You can also configure exclusions in repotoire.toml.
Does Repotoire send my code anywhere?
No. All analysis runs locally on your machine. The only network call is optional telemetry (PostHog, opt-in only) which sends aggregate metrics like language distribution and score — never source code. You can disable it with repotoire config telemetry off.