CodeRifts vs oasdiff
Which is right for your team?
oasdiff gives you the raw breaking-change diff; CodeRifts wraps that diff in a deterministic risk verdict - a 0-100 score, a cost estimate, a policy decision, and a signed receipt. Both tools detect breaking changes in OpenAPI specs. oasdiff is an open-source Go CLI and GitHub Action, now with a hosted Pro tier at oasdiff.com that adds PR comments, per-change approvals, and an audit trail. CodeRifts is a zero-config GitHub App built around a deterministic risk verdict: every change gets a 0-100 risk score, a cost estimate, a policy decision, and a cryptographically signed, externally verifiable receipt. Here is an honest comparison.
| Capability | CodeRifts | oasdiff |
|---|---|---|
| Setup | ✓ One-click GitHub App install | GitHub Action YAML config |
| Breaking change detection | ✓ Yes | ✓ Yes |
| Change intent classification | ✓ With intent tags: | ✗ No |
| Detection confidence scoring | ✓ With confidence levels: | ✗ No |
| Risk scoring (0–100) | ✓ 4-dimension model | ✗ No |
| Policy engine (budgets, freeze, approvals) | ✓ Yes | ✗ No |
| Security analysis | ✓ Yes | ✗ No |
| API design linting | ✓ Yes | ✗ No |
| Governance health score | ✓ Yes | ✗ No |
| Generator-aware risk amplification | ✓ Yes | ✗ No |
| Migration cost estimation | ✓ Yes | ✗ No |
| PR comment with full report | ✓ 20+ sections | Basic diff output |
| CLI tool | ✓ npm | ✓ Go binary, Docker |
| REST API | ✓ Yes | ✗ No |
| Web UI for quick diff | ✓ Yes | ✗ No |
| Pricing | Free tier + Pro $49/mo | Free (Apache-2.0) |
| Maintenance | Managed SaaS | Self-maintained |
| OpenAPI 3.0 / 3.1 | ✓ Yes | ✓ Yes |
| GraphQL / gRPC | Planned | ✗ No |
When to choose oasdiff
- ✓ You want a free, open-source CLI you can run anywhere, including air-gapped CI
- ✓ You want per-change human approvals with a hosted review UI (oasdiff Pro)
- ✓ Your team is comfortable wiring GitHub Actions and maintaining CI YAML
- ✓ You need diff classification and a merge gate, and that is enough
When to choose CodeRifts
- ✓ You want a risk NUMBER and a cost estimate, not just a severity label - our verdict scores every change 0-100 and estimates blast radius and fix cost
- ✓ You want deterministic, reproducible decisions - the same spec pair always produces the same byte-identical verdict fingerprint
- ✓ You want cryptographic evidence, not just review history - every verdict returns an Ed25519-signed receipt any external party can verify against our published key
- ✓ You are building for AI agents - agent-native action-verdict API, MCP server, and governance policies agents can consume directly
- ✓ Your PRs change more than specs - CodeRifts also cross-checks schema migrations against live code references (MigraGuard), one app for both gates
- ✓ You want zero-config - install the GitHub App, add one YAML file, done
The honest difference
oasdiff Pro and CodeRifts now overlap on the approval workflow: both can gate a merge and route breaking changes to humans. The difference is what the human sees and what survives the decision. oasdiff shows you the diff and records who clicked approve. CodeRifts shows you a risk score, a cost estimate, and the affected consumers - and issues a signed receipt that proves, to anyone, what was decided and on what basis. If your API feeds AI agents or downstream teams that need evidence rather than trust, that is the gap we fill.
Ready to try CodeRifts?
Install in one click. No config files, no CI setup, no credit card required.