Skip to main content
GitHub GitLab Bitbucket Custom compliance allows you to define and enforce requirements on pull requests, such as security checks, ticket validation, and organizational policies.

Set up custom compliance

Each compliance is defined in a YAML file with the following fields:
  • title (required) — A clear, descriptive title that identifies what is being checked.
  • compliance_label (required) — Determines whether this compliance generates labels for non-compliance issues (true or false).
  • objective (required) — A detailed description of the goal or purpose of the compliance.
  • success_criteria / failure_criteria (at least one required) — Define the conditions for compliance.
# pr_compliance_checklist.yaml
pr_compliances:
  - title: "Error Handling"
    compliance_label: true
    objective: "All external API calls must have proper error handling"
    success_criteria: "Try-catch blocks around external calls with appropriate logging"
    failure_criteria: "External API calls without error handling or logging"

...
  • Avoid overly complex or subjective compliances that are hard to verify.
  • Keep compliances focused on security, business requirements, and critical standards.
  • Use clear, actionable language that developers can understand.
  • Focus on meaningful compliance requirements, not style preferences.
For production-ready compliance checklist templates organized by programming languages and technology stacks, check out the PR Compliance Templates repository.

Local compliance checklists

Create a pr_compliance_checklist.yaml file in your repository root containing your compliance requirements. Qodo will use this file during code review. If the PR violates these requirements, the results will be surfaced in the code review.

Global hierarchical compliance

For organizations managing multiple repositories with different requirements, Qodo supports a hierarchical compliance system using a dedicated global configuration repository.

Set up global hierarchical compliance

1
Create a new repository named pr-agent-settings in your organization or workspace.
2
Build the folder hierarchy in your pr-agent-settings repository. For example:
pr-agent-settings/
├── metadata.yaml                              # Maps repos/folders to compliance paths
└── codebase_standards/                        # Root for all compliance definitions
    ├── global/                                # Global compliance, inherited widely
   └── pr_compliance_checklist.yaml
    ├── groups/                                # For groups of repositories
   ├── frontend_repos/
   └── pr_compliance_checklist.yaml
   ├── backend_repos/
   └── pr_compliance_checklist.yaml
   ├── python_repos/
   └── pr_compliance_checklist.yaml
   ├── cpp_repos/
   └── pr_compliance_checklist.yaml
   └── ...
    ├── repo_a/                                # For standalone repositories
   └── pr_compliance_checklist.yaml
    ├── monorepo-name/                         # For monorepo-specific compliance
   ├── pr_compliance_checklist.yaml       # Root-level compliance
   ├── service-a/                         # Subproject compliance
   └── pr_compliance_checklist.yaml
   └── service-b/                         # Another subproject
       └── pr_compliance_checklist.yaml
    └── ...
pr-agent-settings, codebase_standards, global, groups, metadata.yaml, and pr_compliance_checklist.yaml must be named exactly as shown.All other names (such as frontend_repos, backend_repos, etc.) are examples and should be replaced with your actual repository and service names.
  • Each folder (including the global folder) can contain a single pr_compliance_checklist.yaml file.
  • Organize repository compliance checklists by creating subfolders within the groups folder.
  • Group them by purpose, programming language, or other categories.
3
Define the metadata file metadata.yaml in the root of pr-agent-settings:
# Standalone repos
qodo-merge:
  pr_compliance_checklist_paths:
    - "qodo-merge"

# Group-associated repos
repo_b:
  pr_compliance_checklist_paths:
    - "groups/backend_repos"

# Multi-group repos
repo_c:
  pr_compliance_checklist_paths:
    - "groups/frontend_repos"
    - "groups/backend_repos"

# Monorepo with subprojects
qodo-monorepo:
  pr_compliance_checklist_paths:
    - "qodo-monorepo"
  monorepo_subprojects:
    frontend:
      pr_compliance_checklist_paths:
        - "qodo-monorepo/qodo-github"
    backend:
      pr_compliance_checklist_paths:
        - "qodo-monorepo/qodo-gitlab"
4
Set the following configuration:
[pr_compliance]
enable_global_pr_compliance = true
  1. Global checklists: Hierarchical compliance from the pr-agent-settings repository.
    • If the repository is mapped in metadata.yaml, it uses the specified paths and the global compliance checklist.
    • For monorepos, it automatically collects compliance checklists matching PR file paths.
    • If the repository is not mapped in metadata.yaml, global checklists are not loaded.
  2. Local repository checklist: pr_compliance_checklist.yaml file in the repository.
    • Loaded if present in the repository.
    • Content is merged with global checklists (if loaded) to create the final compliance checklist.

Configuration options

OptionDescription
extra_instructionsOptional extra instructions. For example: “Ensure that all error-handling paths in the code contain appropriate logging statements”. Default is empty string.
persistent_commentIf set to true, the compliance comment will be persistent, meaning that every new compliance request will edit the previous one. Default is true.
enable_user_defined_compliance_labelsIf set to true, the label Failed compliance check will be added for custom compliance violations. Default is true.
enable_estimate_effort_to_reviewIf set to true, the estimate effort required to review the PR (1–5 scale) is added as a label. Default is true.
enable_todo_scanIf set to true, scans for TODO comments in the PR code. Default is false.
enable_update_pr_compliance_checkboxIf set to true, an update checkbox to refresh compliance status following push events will be added. Default is true.
enable_help_textIf set to true, help text will be displayed in the comment. Default is false.
OptionDescription
enable_security_complianceIf set to true, checks for security vulnerabilities. Default is true.
enable_compliance_labels_securityIf set to true, a Possible security concern label will be added to the PR when security-related concerns are detected. Default is true.
OptionDescription
enable_ticket_labelsIf set to true, adds ticket compliance labels to the PR. Default is false.
enable_no_ticket_labelsIf set to true, adds a label when no ticket is found. Default is false.
check_pr_additional_contentIf set to true, checks whether the PR contains content not related to the ticket. Default is false.

Use cases

Blocking PRs based on compliance

You can configure CI/CD Actions to prevent merging PRs with specific compliance labels:
  • Possible security concern — Block PRs with potential security issues.
  • Failed compliance check — Block PRs that violate custom compliance checklists.
Implement a dedicated GitHub Action to enforce these checklists.