Version: Latest

Free Code Governance

Codeward is a free code governance tool that empowers developers to enforce security, licensing, and policy standards across their codebase. Unlike traditional tools that overwhelm users with endless lists of existing issues, Codeward focuses on what changed, ensuring that new code doesn't introduce new risks while allowing existing technical debt to be managed separately.

Codeward provides the tools to create custom policies and choose how violations are handled—whether that means simply logging them, posting a warning on a PR, or blocking a merge entirely.

Crucially, Codeward is strictly configuration-driven. It makes no assumptions and performs no automatic scanning or reporting "out of the box." You retain full control: you must explicitly define what to validate, what action to take when an issue is found, and where and how the results should be reported.

Core Philosophy

Defined by You: Codeward does not guess what is important to you. It will not output data or find issues unless you have defined the policy, action, and output destination.
Govern, Don't Just Detect: It's not enough to find issues; you need a system to manage them. Codeward allows you to define policies that dictate actionable outcomes.
Protect the Gate, Not the Graveyard: Stop drowning in a sea of existing issues. Block new risks from entering the codebase while managing legacy debt separately.
Progressive Enforcement: Not every issue is a blocker. Use info, warn, and block actions to enforce standards gradually without halting development.
Flexible & Agnostic: Run it anywhere (local, CI/CD, Kubernetes) and output results to where you work (GitHub PRs, Slack, JIRA, JSON reports).

What It Scans

Scan Type	What It Detects
Vulnerabilities	CVEs in dependencies with severity, CVSS scores, fix versions
Licenses	License names, categories, risk levels, and source tracking
Packages	New, removed, or changed dependencies between branches
File Validations	Custom rules on files (JSON, YAML, TOML, text, env, properties) and filesystem
PR Validations	Rules on PR metadata, size, files changed, and patch content

Key Features

Focus on What Changed

Only new issues block your PRs. Existing backlog is tracked separately so developers focus on what they introduced — not legacy technical debt.

Catch AI-Generated Risk

AI-assisted code can silently add vulnerable dependencies or incompatible licenses. Codeward catches them before merge.

Multi-Source License Resolution

Resolves licenses from lockfiles, local filesystem, upstream registries (npm, PyPI, RubyGems, crates.io, NuGet, Hex.pm, pub.dev, Go proxy), and GitHub API — with persistent disk caching.

File & Config Validation

Ensure README exists, Dockerfiles use approved base images, Helm versions are current, and required configs are in place. Supports JSON, YAML, TOML, text, env, and properties files with line-level scanning.

Custom Webhooks

Send results to Slack, JIRA, PagerDuty, or any HTTP endpoint with full control over method, headers, body, and template variables.

SARIF Output

Native SARIF 2.1.0 support for GitHub Security tab, VS Code Problems panel, and Azure DevOps. Upload directly to GitHub Code Scanning for inline PR annotations.

SBOM Export

Generate CycloneDX 1.6 JSON SBOMs from your dependency inventory. Supports EU Cyber Resilience Act compliance, Dependency-Track, and SBOM Hub integration.

Progressive Enforcement

Start with info, promote to warn, then block when ready. Enforce naming conventions, documentation standards, and code structure at your own pace.

How It Works

Add the GitHub Action — Drop in the Codeward action to your workflow. It runs on every PR automatically.
Configure your policies — Define what to block, warn, or track in .codeward.json or .codeward.yaml.
Merge with confidence — New issues are caught before merge. Existing backlog is tracked separately.

The key insight: only new findings can block your PR, so existing technical debt doesn't slow you down while you address it separately.

Quick Example

Block new critical vulnerabilities in PRs:

# .codeward.yaml
vulnerability:
  - name: block-critical
    actions: { new: block, existing: warn }
    rules:
      - field: Severity
        type: eq
        value: CRITICAL
    outputs:
      - format: markdown
        destination: git:pr
        fields: [VulnerabilityID, PkgName, Severity, FixedVersion]
        changes: [new]

This policy:

Searches for vulnerabilities where severity equals CRITICAL
Blocks PRs when new critical vulnerabilities are found
Warns about existing critical vulnerabilities (doesn't block)
Posts a markdown table to the PR comment showing only new issues

How Rules Work

Codeward uses a search-based approach: rules define what to find, not requirements to enforce.

The rule { "field": "Severity", "type": "eq", "value": "CRITICAL" } searches for items where severity equals CRITICAL
When a match is found → creates a finding → triggers the action (block, warn, or info)
Results are sent to configured outputs

Think "find problems" not "enforce requirements".

Get Started

Fastest path: Add the GitHub Action → Quick Start

Browse ready-made profiles: The Codeward Registry has ready-to-use policy profiles for security, infrastructure, language-specific checks, compliance, secrets detection, and more. Drop one into your repo and customize as needed.

Choose your installation:

GitHub Actions — easiest for GitHub repos
Docker — works with any CI system
Standalone Binary — no Docker required, runs on Linux/macOS/Windows

Learn more:

Configuration — full config reference
Policies — all policy types explained
Outputs — formats, destinations, webhooks

Core Philosophy​

What It Scans​

Key Features​

Focus on What Changed​

Catch AI-Generated Risk​

Multi-Source License Resolution​

File & Config Validation​

Custom Webhooks​

SARIF Output​

SBOM Export​

Progressive Enforcement​

How It Works​

Quick Example​

How Rules Work​

Get Started​