Policy Checks

Codity provides configurable policy checks that enforce merge requirements on pull requests and merge requests. Policies are enforced via commit status checks (codity/policy-check) and can block merges until requirements are met.

Overview

Policy checks run automatically on every PR/MR and report results as a commit status check. When configured as a required status check in your branch protection rules, failing policy checks prevent merging.

Supported Platforms:

  • GitHub
  • GitLab
  • Azure DevOps
  • Bitbucket

Available Policy Checks

Minimum Reviewers

Requires a minimum number of unique approvals before a PR/MR can be merged.

  • Default: 2 reviewers
  • Range: 0–10

Recognized Approval Comments:

  • lgtm
  • approved
  • looks good to me
  • looks good
  • ship it
  • +1

The PR author's own approvals and comments are excluded from the count. Only the latest review per user is considered.

Require Ticket Reference

Requires a ticket reference (e.g., Jira, GitHub issue) in the PR title or body.

  • Default: Enabled
  • Default Patterns: JIRA-*, ENG-*, #*

Patterns use glob-style matching:

  • JIRA-* matches JIRA-123, JIRA-456, etc.
  • ENG-* matches ENG-100, ENG-200, etc.
  • #* matches #42, #100, etc.

Both the PR title and body are searched for matches.

Require Tests

Requires test files to be included when code files are changed.

  • Default: Enabled

Default Test File Patterns:

  • **/test/**, **/tests/**
  • **/*_test.py, **/test_*.py
  • **/*_test.go
  • **/*.spec.js, **/*.test.js
  • **/*.spec.ts, **/*.test.ts
  • **/*.spec.jsx, **/*.test.jsx
  • **/*.spec.tsx, **/*.test.tsx
  • **/*Test.java
  • **/*_test.rb, **/*_spec.rb

Files excluded from test requirement (non-testable):

  • Documentation: .md, .rst, .txt
  • Configuration: .yml, .yaml, .json, .toml, .ini, .xml, .env
  • Styles/Assets: .css, .scss, .svg, .png, .jpg, fonts
  • Shell scripts: .sh, .bash, .bat
  • Build/CI files: Dockerfile, Makefile, Jenkinsfile, .gitlab-ci.yml
  • Lock files: package-lock.json, yarn.lock, go.sum, Gemfile.lock
  • Paths: migrations/, .github/, .gitlab/, config/, docs/, vendor/, node_modules/, static/, assets/

If only non-testable files are changed, the check passes automatically.

Require Description Sections

Requires specific sections to be present in the PR description.

  • Default: Disabled
  • Example Sections: ## Summary, ## Changes, ## Test Plan

Section matching is case-insensitive.

Configuring Policy Checks

Step 1: Open Policy Settings

  1. Navigate to Settings in the Codity dashboard
  2. Expand the Repository Policies (SOC2 Compliance) section
  3. Find your repository in the list
  4. Click the Configure button next to the repository

Repositories show a Configured badge if policies are already set, or Not Configured if using defaults.

Step 2: Configure Policies

On the policy settings page for your repository:

  1. Minimum Reviewers: Set the number of required approvals (0–10)
  2. Require Ticket Reference: Toggle on/off and customize ticket patterns (one pattern per line)
  3. Require Test Files: Toggle on/off and customize test file patterns (one pattern per line)
  4. Require Description Sections: Toggle on/off and specify required section headings (one per line)

Click Save Policy to apply changes.

Step 3: Enable Branch Protection

For policy checks to block merges, configure your branch protection rules to require the codity/policy-check status check.

GitHub:

  1. Go to repository SettingsBranchesBranch protection rules
  2. Edit or add a rule for your target branch
  3. Enable Require status checks to pass before merging
  4. Search for and add codity/policy-check

GitLab: Policy results are posted as commit statuses on merge requests.

Azure DevOps: Policy results are posted as PR statuses.

Bitbucket: Policy results are posted as build statuses on commits.

Org-Wide Policy

You can set a policy that applies across all repositories in your organization. When a repository does not have its own policy configured, it inherits the org-wide policy.

Resolution order:

  1. Repository-level policy: if configured, this is used
  2. Org-wide policy: used when no repository-level policy exists
  3. Built-in defaults: used when neither is set

Configuring Org-Wide Policy

  1. Navigate to Settings in the Codity dashboard
  2. Expand the Repository Policies section
  3. Click Configure Org-Wide Policy
  4. Set your desired values and click Save Policy

Changes to the org-wide policy take effect immediately for all repositories that do not have a repository-level policy.

How Results Are Reported

Commit Status Check

Codity posts a codity/policy-check status on the latest commit of the PR/MR:

  • Success: All policy checks passed
  • Failure: One or more policy checks failed

PR/MR Comment

When policy checks fail, Codity posts a comment on the PR/MR with details:

  • Which checks passed
  • Which checks failed and why
  • What actions are needed to resolve failures

Example failure message:

✗ 2/4 policy checks failed:

  • Need 1 more approval(s) (1/2): comment LGTM or approve via review
  • 3 code file(s) changed but no test files added

✓ 2 checks passed:
  • Found ticket reference(s): JIRA-123
  • All 3 required section(s) present