Free Code Governance

Codeward is a free code governance tool that empowers developers to enforce security, licensing, and policy standards across their codebase. Unlike traditional tools that overwhelm users with endless lists of existing issues, Codeward focuses on what changed, ensuring that new code doesn't introduce new risks while allowing existing technical debt to be managed separately.

Codeward provides the tools to create custom policies and choose how violations are handled—whether that means simply logging them, posting a warning on a PR, or blocking a merge entirely.

Crucially, Codeward is strictly configuration-driven. It makes no assumptions and performs no automatic scanning or reporting "out of the box." You retain full control: you must explicitly define what to validate, what action to take when an issue is found, and where and how the results should be reported.

Core Philosophy

Defined by You: Codeward does not guess what is important to you. It will not output data or find issues unless you have defined the policy, action, and output destination.
Govern, Don't Just Detect: It's not enough to find issues; you need a system to manage them. Codeward allows you to define policies that dictate actionable outcomes.
Protect the Gate, Not the Graveyard: Stop drowning in a sea of existing issues. Our goal is to block new risks from entering the codebase (the gate) without forcing developers to immediately fix legacy debt (the graveyard).
- Context-Aware Routing: While new issues often require immediate blocking or PR comments, existing issues are still critical. Codeward allows you to route new, changed, and removed findings to immediate channels (like GitHub PR comments) while sending existing findings to backlog management tools (like GitHub Issues) for long-term resolution.
Progressive Enforcement: Not every issue is a blocker. Use info, warn, and block actions to enforce standards gradually without halting development.
Flexible & Agnostic: Run it anywhere (local, CI/CD, Kubernetes) and output results to where you work (GitHub PRs, Slack, JSON reports).

What It Scans

Scan Type	What It Detects
Vulnerabilities	CVEs in dependencies (via embedded Trivy) with severity, fix versions
Licenses	License names, categories, and risk levels for compliance
Packages	New, removed, or changed dependencies between branches
File Validations	Custom rules on files (text, JSON, YAML) and filesystem structure
PR Validations	Rules on PR metadata, size, files changed, and patch content

Key Features

Focus on What Changed

Only new issues block your PRs. Existing backlog is tracked separately so developers focus on what they introduced — not legacy technical debt.

Catch AI-Generated Risk

AI-assisted code can silently add unwanted changed, vulnerable dependencies or incompatible licenses. Codeward catches them before merge.

File & Config Validation

Ensure README exists, Dockerfiles use approved base images, Helm versions are current, and required configs are in place.

Progressive Enforcement

Start with info, promote to warn, then block when ready. Enforce naming conventions, documentation standards, and code structure at your own pace.

Custom Policy Rules

Define rules for anything — API versioning, deprecation notices, migration deadlines, or team-specific coding standards.

Flexible Outputs

PR comments, GitHub issues, JSON files, or webhooks. Route findings to Slack, Jira, or your compliance dashboard.

How It Works

Add the GitHub Action — Drop in the Codeward action to your workflow. It runs on every PR automatically.
Configure your policies — Define what to block, warn, or track. Use sensible defaults or customize everything.
Merge with confidence — New issues are caught before merge. Existing backlog is tracked separately.

The key insight: only new findings can block your PR, so existing technical debt doesn't slow you down while you address it separately.

Quick Example

Block new critical vulnerabilities in PRs:

{
  "vulnerability": [{
    "name": "block-critical",
    "actions": { "new": "block", "existing": "warn" },
    "rules": [
      { "field": "Severity", "type": "eq", "value": "CRITICAL" }
    ],
    "outputs": [{
      "format": "markdown",
      "destination": "git:pr",
      "fields": ["VulnerabilityID", "PkgName", "Severity", "FixedVersion"],
      "changes": ["new"]
    }]
  }]
}

This policy:

Searches for vulnerabilities where severity equals CRITICAL
Blocks PRs when new critical vulnerabilities are found
Warns about existing critical vulnerabilities (doesn't block)
Posts a markdown table to the PR comment showing only new issues

How Rules Work

Codeward uses a search-based approach: rules define what to find, not requirements to enforce.

The rule { "field": "Severity", "type": "eq", "value": "CRITICAL" } searches for items where severity equals CRITICAL
When a match is found → creates a finding
The finding triggers the action (block, warn, or info)
Results are sent to configured outputs

Think "find problems" not "enforce requirements".

Our Principles

Free Forever — Core features free forever. No vendor lock-in.
Community Driven — Built with feedback from real teams.
Ship Fast — Governance that accelerates development, not blocks it.

Get Started

Fastest path: Add the GitHub Action with zero config → Quick Start

Choose your installation:

GitHub Actions — easiest for GitHub repos
Docker — works with any CI system

Learn more:

Configuration — full config reference
Policies — all policy types explained
Outputs — formats, destinations, combining

Stop reviewing security issues manually. Let Codeward surface what matters and block what's critical.

Core Philosophy​

What It Scans​

Key Features​

Focus on What Changed​

Catch AI-Generated Risk​

File & Config Validation​

Progressive Enforcement​

Custom Policy Rules​

Flexible Outputs​

How It Works​

Quick Example​

How Rules Work​

Our Principles​

Get Started​