Set up custom compliance
Each compliance is defined in a YAML file with the following fields:title(required): A clear, descriptive title that identifies what is being checked.compliance_label(required): Determines whether this compliance generates labels for non-compliance issues (trueorfalse).objective(required): A detailed description of the goal or purpose of the compliance.success_criteria/failure_criteria(at least one required): Define the conditions for compliance.
Example of a compliance checklist
Example of a compliance checklist
Writing effective compliance checklists
Writing effective compliance checklists
- Avoid overly complex or subjective compliances that are hard to verify.
- Keep compliances focused on security, business requirements, and critical standards.
- Use clear, actionable language that developers can understand.
- Focus on meaningful compliance requirements, not style preferences.
Ready-to-use compliance templates
Ready-to-use compliance templates
For production-ready compliance checklist templates organized by programming languages and technology stacks, check out the PR Compliance Templates repository.
Local compliance checklists
Create apr_compliance_checklist.yaml file in your repository root containing your compliance requirements.
Qodo will use this file during code review. If the PR violates these requirements, the results will be surfaced in the code review.
Global hierarchical compliance
For organizations managing multiple repositories with different requirements, Qodo supports a hierarchical compliance system using a dedicated global configuration repository.Set up global hierarchical compliance
1
Create a new repository named
pr-agent-settings in your organization or workspace.2
Build the folder hierarchy in your
pr-agent-settings repository. For example:pr-agent-settings, codebase_standards, global, groups, metadata.yaml, and pr_compliance_checklist.yaml must be named exactly as shown.All other names (such as frontend_repos, backend_repos, etc.) are examples and should be replaced with your actual repository and service names.Grouping and categorizing compliance checklists
Grouping and categorizing compliance checklists
- Each folder (including the global folder) can contain a single
pr_compliance_checklist.yamlfile. - Organize repository compliance checklists by creating subfolders within the
groupsfolder. - Group them by purpose, programming language, or other categories.
3
Define the metadata file
metadata.yaml in the root of pr-agent-settings:4
Set the following configuration:
Compliance checklist loading strategy
Compliance checklist loading strategy
-
Global checklists: Hierarchical compliance from the
pr-agent-settingsrepository.- If the repository is mapped in
metadata.yaml, it uses the specified paths and the global compliance checklist. - For monorepos, it automatically collects compliance checklists matching PR file paths.
- If the repository is not mapped in
metadata.yaml, global checklists are not loaded.
- If the repository is mapped in
-
Local repository checklist:
pr_compliance_checklist.yamlfile in the repository.- Loaded if present in the repository.
- Content is merged with global checklists (if loaded) to create the final compliance checklist.
Configuration options
General options
General options
Security compliance options
Security compliance options
Ticket compliance options
Ticket compliance options
Use cases
Blocking PRs based on compliance
You can configure CI/CD Actions to prevent merging PRs with specific compliance labels:Possible security concern: Block PRs with potential security issues.Failed compliance check: Block PRs that violate custom compliance checklists.