codeguard is a standalone Go service and CLI for repository checks across code quality, design boundaries, security, CI/CD hygiene, AI prompt governance, and repo-specific policy rules.
It now supports repository exclusions, baselines, waivers, changed-lines diff scans, SARIF output, GitHub annotations, custom rule packs, natural-language custom rules through an optional AI runtime, policy profiles, scan caching, doctor checks, rule discovery from the CLI, native TypeScript/Python quality, design, and security heuristics, and language-specific command checks.
AI-generated-code quality coverage includes an AI-failure-mode rule pack, slop_score artifacts, provenance-aware review policy hooks, local idiom drift checks, optional provider-backed hybrid triage and semantic review passes, natural-language custom rules through an optional AI runtime, and a verified-fix flow that only returns patches after isolated patch validation plus test reruns succeed.
Rule discovery APIs expose per-check metadata, including execution_model (go-native, language-agnostic, or command-driven) and language_coverage (fixed target languages, repository-wide, or configurable).
go install github.com/devr-tools/codeguard/cmd/codeguard@latestOr build from source:
make buildOther install paths:
- GitHub Releases: tagged archives for direct download
- Homebrew:
brew install devr-tools/tap/codeguard - GitHub Marketplace Action:
Devr Codeguard
npm (installs a prebuilt binary, no Go toolchain required):
npm install -g @devr-tools/codeguard
codeguard versionpip (installs a prebuilt binary per platform; the project is devr-codeguard
because the plain codeguard name is taken, but the command is still codeguard):
pip install devr-codeguard
codeguard version- name: Devr Codeguard
uses: devr-tools/codeguard@v0.8.1Or run in Docker:
docker build -t codeguard .
docker run --rm -v "$PWD:/workspace" -w /workspace codeguard scanFor local release automation:
make commit
make release
make release-check
make deployFor SDK consumers:
go get github.com/devr-tools/codeguard/pkg/codeguardcodeguard init
codeguard validate -config codeguard.yaml
codeguard doctor -config codeguard.yaml
codeguard scan -config codeguard.yaml
codeguard scan-history
codeguard rules
codeguard profiles
codeguard explain security.hardcoded-credential
codeguard baseline -config codeguard.yaml -output codeguard-baseline.jsoncodeguard rules prints each rule's level, execution model, language coverage, section, and title. codeguard explain <rule-id> includes the same metadata for a single rule.
By default, codeguard looks for codeguard.yaml, codeguard.yml, or codeguard.json in the repository root. If those are missing, it also checks .codeguard/codeguard.yaml, .codeguard/codeguard.yml, and .codeguard/codeguard.json.
If you point -config at a directory such as .codeguard, codeguard will look inside it for codeguard.* or config.* files.
Text output includes ANSI color and emoji markers by default. Set NO_COLOR=1 if you want plain terminal output.
If you want a JSON starting point instead, use examples/codeguard.json.
Import the SDK from github.com/devr-tools/codeguard/pkg/codeguard.
package main
import (
"context"
"log"
"github.com/devr-tools/codeguard/pkg/codeguard"
)
func main() {
cfg := codeguard.ExampleConfig()
report, err := codeguard.Run(context.Background(), cfg)
if err != nil {
log.Fatal(err)
}
_ = report
}