Documentation
Everything you need to get started with CodeRifts — from one-click install to full configuration reference.
Quick Start
Get CodeRifts running in 30 seconds:
Install the GitHub App → Install on GitHub
Open a pull request that modifies an OpenAPI spec file
CodeRifts automatically posts a governance report as a PR comment
That's it. No config file needed. No CI setup. No API keys.
Want to see what a report looks like? Check the live demo PR.
What Gets Analyzed
CodeRifts triggers automatically when a pull request modifies files matching these patterns:
| Pattern | Example |
|---|---|
**/openapi*.yaml | openapi.yaml, api/openapi-v2.yaml |
**/openapi*.json | openapi.json, docs/openapi-spec.json |
**/swagger*.yaml | swagger.yaml, api/swagger-v1.yaml |
**/swagger*.json | swagger.json |
You can also define custom patterns in .coderifts.yml using the schema or spec_patterns fields (see Configuration).
Supported Formats
- OpenAPI 2.0 (Swagger)
- OpenAPI 3.0
- OpenAPI 3.1
- Both YAML and JSON formats
Understanding the Report
Every PR comment from CodeRifts includes several sections. Here's what each one means:
Risk Score (0–100)
An overall risk assessment based on 4 dimensions:
| Dimension | Weight | What It Measures |
|---|---|---|
| Revenue Impact | 30% | Are payment, billing, or critical domain endpoints affected? |
| Blast Radius | 30% | How many endpoints and consumers are impacted? |
| Compatibility | 20% | Can existing clients continue working without changes? |
| Security | 20% | Are authentication, authorization, or sensitive fields affected? |
Scores map to grades: A (0–19), B (20–39), C (40–59), D (60–79), F (80–100).
Breaking Changes Table
Lists every breaking change detected, including:
- The change type (endpoint removed, field type changed, required field added, etc.)
- The affected endpoint and path
- A risk label per change (when risk scoring is enabled)
- A lifecycle label showing whether the element is new, deprecated, or removed
Policy Violations
If you have policies configured in .coderifts.yml, this section shows which rules were violated:
- Endpoint deletion blocked —
no_deletepaths were removed - Breaking budget exceeded — more breaking changes than
breaking_budgetallows - Freeze window active — breaking changes during a configured freeze period
- Version bump required — breaking changes without a semver bump in the spec
Security Analysis
Scans for security-sensitive changes:
- Authentication scheme changes
- New endpoints without security definitions
- Sensitive field exposure (passwords, tokens, SSNs, etc.)
- CORS or rate-limit configuration changes
Semver Suggestion
Recommends a semantic version bump based on the changes detected:
- MAJOR — breaking changes found
- MINOR — new endpoints or fields added (backward-compatible)
- PATCH — documentation or metadata changes only
API Changelog
An auto-generated changelog grouped by: breaking, added, changed, and deprecated. Copy-paste ready for your release notes.
See all of these sections in action on the live demo PR.
Configuration Reference
All settings are optional. CodeRifts works without a config file. To customize behavior, create a .coderifts.yml file in the root of your repository.
# .coderifts.yml — Full Configuration Reference
# All settings are optional. CodeRifts works without this file.
# ─── Schema Paths ─────────────────────────────────────────────
# Explicit paths to your OpenAPI spec files.
# If omitted, CodeRifts auto-discovers using default glob patterns.
schema:
- openapi/api.yaml
- docs/swagger.json
# Custom glob patterns for spec file discovery (optional)
spec_patterns:
- "**/api-spec*.yaml"
- "docs/openapi/**"
# ─── Breaking Change Budget ───────────────────────────────────
# Maximum allowed breaking changes per PR (default: unlimited)
breaking_budget: 3
# Fail the GitHub check when breaking changes are found (default: true)
fail_on_breaking: true
# ─── Policy Rules ─────────────────────────────────────────────
policy:
# Paths where endpoint deletion is blocked
no_delete: ["/payments/*", "/auth/*"]
# Block deletion of required fields
no_delete_required_fields: true
# Require deprecation before removal
require_deprecation_before_removal: true
# Freeze window — block breaking changes during this period
freeze:
start: "2026-03-01"
end: "2026-03-15"
reason: "Q1 release freeze"
# Require semver bump when breaking changes are detected
require_version_bump: true
# Auto-trigger freeze when risk score exceeds threshold (0-100)
freeze_on_risk_score: 80
# ─── Domain Ownership ─────────────────────────────────────────
# Map API paths to teams for accurate risk scoring
domains:
- name: payments
paths: ["/payments/*"]
owners: ["@payments-team"]
sensitivity: critical
- name: users
paths: ["/users/*", "/auth/*"]
owners: ["@platform-team"]
sensitivity: high
# ─── Security Analysis ────────────────────────────────────────
security:
# Additional patterns to flag as sensitive (regex)
sensitive_patterns: ["ssn", "tax_id", "passport"]
# Fail the check on critical security findings
fail_on_critical: true
# ─── Notifications ────────────────────────────────────────────
# Send alerts to Slack and/or Microsoft Teams
notifications:
on: breaking # Options: breaking (default), all, high_risk
slack:
webhook_url: "https://hooks.slack.com/services/..."
teams:
webhook_url: "https://outlook.office.com/webhook/..."
mute: # Repos to exclude from notifications
- "internal-tools"
# ─── Schema Overlap Detection ─────────────────────────────────
# Warn when other open PRs modify the same spec files (Pro only)
overlap_detection: true
overlap_ignore_branches:
- "dependabot/*"
- "renovate/*"
# ─── Risk Scoring Weights ─────────────────────────────────────
# Customize the weight of each risk dimension (must sum to 1.0)
risk_weights:
revenue_impact: 0.3
blast_radius: 0.3
compatibility: 0.2
security: 0.2
# ─── Comment Mode ─────────────────────────────────────────────
# "full" shows all sections inline; "summary" collapses details
comment_mode: full
# ─── Fun Mode ─────────────────────────────────────────────────
# Adds a haiku to the PR comment based on the analysis
fun_mode: trueOption Reference
| Option | Type | Default | Tier | Description |
|---|---|---|---|---|
schema | string[] | auto-discover | Free | Explicit paths to OpenAPI spec files |
spec_patterns | string[] | built-in globs | Free | Custom glob patterns for spec discovery |
fail_on_breaking | boolean | true | Free | Fail the GitHub check on breaking changes |
breaking_budget | number | unlimited | Free | Max breaking changes allowed per PR |
policy | object | all disabled | Pro | Governance policy rules |
domains | object[] | heuristic | Pro | Map API paths to teams for risk scoring |
security | object | defaults | Pro | Security analysis configuration |
notifications | object | disabled | Free | Slack/Teams webhook notifications |
overlap_detection | boolean | true | Pro | Warn when other PRs modify same specs |
overlap_ignore_branches | string[] | [] | Pro | Branch patterns to exclude from overlap check |
risk_weights | object | equal weights | Pro | Customize risk dimension weights |
comment_mode | string | full | Free | full or summary |
fun_mode | boolean | false | Free | Adds a haiku to the PR comment |
Delivery Channels
CodeRifts is available through 4 channels. Choose the one that fits your workflow:
| Channel | Best For | Status | Link |
|---|---|---|---|
| GitHub App | Primary use — automatic PR analysis | Available | Install |
| Web UI | Try without installing — paste a spec URL | Available | Try Now |
| REST API | CI/CD integration — programmatic access | Available | API Reference |
| CLI | Local analysis — run from your terminal | Available | npm package |
FAQ
Does CodeRifts read my source code?
No. CodeRifts only reads OpenAPI spec files (YAML/JSON). It does not access, analyze, or store your application source code, tests, or any other files.
What permissions does it need?
| Permission | Level | Why |
|---|---|---|
| Contents | Read | Read OpenAPI spec files from your repository |
| Pull Requests | Write | Post the governance report as a PR comment |
| Checks | Write | Create a check run with pass/fail status |
| Metadata | Read | Required by GitHub for all App installations |
Is it free?
Yes. The Free tier includes unlimited public repositories and up to 3 private repositories. All Pro features (risk scoring, governance, security analysis, deprecation enforcement) are included free during the beta. See pricing.
What happens if my spec file is not in the root directory?
CodeRifts auto-discovers spec files using glob patterns that search all directories. If your file is at api/v2/openapi.yaml, it will be found automatically. You can also configure explicit paths in .coderifts.yml:
schema:
- api/v2/openapi.yaml
- docs/swagger.jsonCan I use it with GitLab or Bitbucket?
The GitHub App is GitHub-only. However, the REST API and CLI work with any Git platform. You can integrate them into GitLab CI, Bitbucket Pipelines, or any CI/CD system.
How do I disable it for a specific PR?
Add [skip coderifts] to the PR title. CodeRifts will skip the analysis entirely for that PR.
Where is the API Reference?
The interactive API reference (Swagger UI) is available at app.coderifts.com/api/docs.
Ready to get started?
Install CodeRifts in one click and get your first governance report on the next PR.