48 governance features.
One PR comment.
From breaking change detection to compliance enforcement. Backed by 611 tests.
Free Tier
9 features included with every installation — no credit card required
Breaking Change Detection
Core diff engine for OpenAPI 3.0 and 3.1 schemas.
Detects endpoint removals, required field additions, response type changes, enum restrictions, auth changes, parameter modifications, and more.
Auto-Discovery
Automatically finds OpenAPI spec files in your repo.
No configuration needed. CodeRifts scans your repository for .yaml, .yml, and .json files matching OpenAPI patterns.
Semver Suggestion
Recommends MAJOR/MINOR/PATCH based on change severity.
Reads your current version from the spec and suggests the correct next version based on the breaking changes detected.
Lifecycle Labels
Tags each change: new-endpoint, field-removed, deprecated, etc.
Every change in the breaking changes table gets a lifecycle icon showing whether it's new, modified, deprecated, or removed.
API Surface Stats
Endpoint, field, and schema counts in every PR.
Shows your total API surface area and how the PR changes it, so you always know the scope of your API.
Commit Consistency Check
Validates PR title matches the suggested version bump.
Warns when breaking changes are detected but the PR title doesn't include a version bump indicator like feat!:.
Breaking Changes Table
Structured table of every breaking change with details.
Each breaking change gets its own row with endpoint, risk level, action type, and a link to the specific diff.
REST in Peace
Lists removed endpoints with a touch of humor.
A dedicated memorial section for removed endpoints. Because even APIs deserve a proper farewell.
Web UI, CLI & REST API
Three ways to use CodeRifts: browser, terminal, or API.
Try in the browser with no signup, run locally via CLI, or integrate into any CI/CD pipeline via the REST API.
Risk & Scoring
Quantify API change risk across 4 dimensions
4D Risk Score
Composite 0–100 score across severity, surface, auth, and stability.
Each PR gets a single risk number combining breaking change severity, affected surface area, authentication impact, and historical stability. Color-coded gauge included.
Confidence Score
How certain is the analysis? 0–100 confidence rating.
Factors in spec completeness, change specificity, and engine agreement. Low confidence triggers a warning so you know when to double-check.
Stability Grade
A+ to F grade based on recent breaking change history.
Tracks your API's breaking change frequency over the last 30 days. Fewer breaks = higher grade. Shown as a letter grade with trend arrow.
Change Intent Classifier
Tags each change as structural, behavioral, or security.
Uses change codes and heuristics to classify intent. Structural changes affect shape, behavioral changes affect logic, security changes affect auth.
Security
Catch authentication and authorization regressions
Auth Downgrade Detection
Flags when endpoints lose authentication requirements.
Detects when OAuth2 is downgraded to API key, when bearer tokens are removed, or when security schemes are weakened. Severity-rated.
Scope & Permission Tracker
Detects OAuth scope changes and permission model shifts.
Tracks when scopes are added, removed, or renamed. Warns when permission boundaries change in ways that could affect API consumers.
AI & Generator Awareness
Detect AI-generated specs and generator-specific risks
AI-Generated Spec Safety
Detects when specs are AI-generated and flags common AI mistakes.
Identifies patterns typical of LLM-generated OpenAPI specs: hallucinated endpoints, inconsistent naming, missing security schemes, and overly generic descriptions.
Generator-Aware Risk
Adjusts risk scoring based on spec generator (Swagger Codegen, OpenAPI Generator, etc.).
Detects the generator used and adjusts confidence and risk scores based on known generator quirks and limitations.
Insights & Reporting
Documentation quality, changelogs, and design standards
API Design Lint
Naming conventions, pagination, error consistency checks.
8 lint rules covering camelCase, pagination patterns, error response formats, and more. Warnings shown in a collapsible section.
Auto-Changelog
Categorized changelog: breaking, added, changed, deprecated.
Every PR gets a structured changelog grouped by change type, ready to copy into your release notes.
Deprecation Lifecycle Tracker
Tracks deprecated endpoints from announcement to removal.
Monitors x-deprecated and x-sunset headers. Warns when deprecated endpoints are removed without the sunset period completing.
Documentation Coverage Score
A–F grade for spec completeness: descriptions, examples, schemas.
Scores your OpenAPI spec across 5 dimensions: descriptions, examples, error responses, schema completeness, and parameter documentation. Shows delta from base.
Docs Drift Detection
Warns when schema changes happen without documentation updates.
Checks if README, CHANGELOG, or API docs were updated alongside schema changes. Flags PRs that skip documentation.
Structural
Understand your API architecture and versioning
Heritage Mode
Versioning suggestions for existing endpoints.
Detects high change density PRs and recommends version bumps or deprecation plans for heavily modified endpoints.
CODEOWNERS Suggestion
Auto-generates CODEOWNERS based on domain ownership config.
When no CODEOWNERS file exists, suggests one based on the domain ownership mapping in your .coderifts.yml.
Versioning Strategy
URL vs header versioning analysis and recommendation.
Detects your versioning approach (URL path, header, query param) and flags inconsistencies or missing version indicators.
Policy & Governance
Enforce API standards with code-defined policies
Policy Engine
YAML-defined rules: max breaking changes, required deprecation periods, auth requirements.
Define governance rules in .coderifts.yml. The engine evaluates every PR against your policies and blocks merges that violate them.
Freeze Windows
Block breaking changes during release freezes or peak traffic periods.
Configure date ranges when breaking changes are prohibited. PRs opened during freeze windows get a hard block with the freeze reason.
Approval Matrix
Require specific approvers for high-risk changes.
Configure who must approve based on risk level: security changes need @security-team, auth changes need @platform-lead.
Domain Ownership
Map API paths to team owners for targeted notifications.
Define which team owns which API paths. Breaking changes to /payments/* notify @payments-team automatically.
Exception Lifecycle Manager
Time-boxed exceptions for policy violations with audit trail.
Grant temporary exceptions to governance rules. Each exception has an owner, expiry date, and reason. Expired exceptions auto-revoke.
Breaking Budget
Set a maximum number of allowed breaking changes per PR.
Configure a breaking change budget in your policy. PRs exceeding the budget get a policy violation with the count and limit shown.
Migration & Assessment
Evaluate migration effort and governance health
Migration Assessment
Estimates consumer migration effort: hours, complexity, affected endpoints.
For each breaking change, estimates the migration effort for API consumers. Factors in change type, endpoint popularity, and complexity.
Governance Health Grade
A–F grade for your API governance posture.
Composite score across policy compliance, exception usage, deprecation adherence, and documentation quality. Shown as a letter grade.
Insights & Reporting
Review patterns, stability badges, and feature flag tracking
PR Review Insights
Time to first review, reviewer load, PR size analysis.
Tracks review patterns for API-related PRs. Shows time to first review, number of review rounds, and PR size classification.
Feature Flag Cleanup
Detects stale feature flags across 6 languages, 19 patterns.
Scans changed files for feature flag patterns. Flags stale and aging flags with configurable thresholds.
API Stability Badge
4 embeddable SVG badges for README: stability, streak, governance, risk.
Shields.io-style badges generated server-side. Embed in your README to show your API's governance posture.
Structural
Shadow API detection and overlap prevention
Shadow API Detection
Identifies high-change-density endpoints that may be undocumented.
Flags endpoints with many changes in a single PR, suggesting they may be shadow APIs that need proper documentation.
Overlap Detection
Detects other open PRs modifying the same schema files.
Warns when multiple open PRs touch the same OpenAPI spec, preventing merge conflicts and governance gaps.
AI & Generator Awareness
SDK coverage and generated spec drift tracking
SDK Surface Coverage
Tracks which endpoints are covered by generated SDKs.
Cross-references your OpenAPI spec with generated SDK clients. Flags endpoints missing from SDKs and new endpoints that need SDK updates.
Generated Spec Drift
Detects when generated specs diverge from the source of truth.
If your spec is auto-generated from code annotations, detects when manual edits create drift between the generated and committed versions.
Enterprise
8 features — coming Q2 2026
External API Drift Monitor
Track third-party API specs and alert on undocumented changes.
Monitor external APIs your services depend on. Get notified when upstream providers introduce breaking changes before they hit production.
Multi-Repo Compatibility Guard
Cross-repo breaking change detection.
When a spec change in repo A breaks a consumer in repo B, CodeRifts flags it before either PR merges.
Consumer-Aware Risk Scoring
Risk scoring based on actual consumer data.
Integrate with your API gateway to weight risk scores by real traffic volume, active consumers, and revenue impact.
Org-Level API Registry
Company-wide API catalog and portfolio view.
A single pane of glass for every API in your organization: ownership, stability grade, governance health, and change history.
Compliance Ledger
Full audit trail: who changed what, when, and impact.
Immutable log of every API change, approval decision, and exception grant. SOC 2 and PCI-DSS aligned reporting.
Historical Drift Intelligence
Risk time-series and stability decay tracking.
Track how your API stability evolves over weeks and months. Spot decay patterns before they become incidents.
Slack & Teams Notifications
Webhook integration for breaking change alerts.
Configure per-domain notifications. Critical auth changes go to #security, payment API changes go to #payments.
Custom Integrations API
Webhooks and REST API for custom governance workflows.
Build custom integrations with your internal tools. Trigger workflows, sync data, and extend CodeRifts with your own logic.
Ready to protect your APIs?
Free during beta. No credit card required. Start with 9 features, upgrade when you need more.