Compliance

Compliance evaluations check your infrastructure code against rulesets and report whether each rule passes, fails, or can't be determined. Evaluations can run manually, automatically after agent sessions, or as part of your GitHub CI pipeline. For an overview of how compliance works at the workspace level, see Workspace Compliance.

How evaluation works

When a compliance evaluation runs, an AI-powered agent explores your codebase using read-only tools. It reads files, searches for patterns, and checks each rule against the actual code. Every finding includes a justification citing specific files and line numbers.

Each rule gets one of three statuses.

• Pass. The agent found concrete evidence that the rule is being followed.
• Fail. The rule is violated or something required is missing from the codebase.
• Unknown. The agent couldn't find enough evidence to determine compliance. This happens for rules about processes or behaviors that can't be verified from code alone.

The compliance score is calculated from pass and fail counts. Unknown rules are excluded from the score.

Running evaluations

There are several ways to trigger an evaluation.

Manual. Click "Run Evaluation" on the workspace compliance page.

Agent. The workspace agent can run run_compliance_check() during a session. If auto-compliance is enabled in enterprise settings, the agent runs this automatically after each session.

CI. When CI compliance checks are enabled, evaluations run automatically on every pull request. Results are posted as GitHub Check Runs with inline annotations.

Overrides

Any finding can be overridden by a workspace editor, except for rules marked as required. Required rules cannot be overridden.

• Pass counts the rule as compliant (useful when the checker missed existing code).
• Fail counts the rule as non-compliant.
• Exclude removes the rule from scoring entirely (for rules that don't apply to this workspace).

Overrides apply across all evaluations and persist until revoked. Each override includes a justification and tracks who created and revoked it.

CI compliance checks

When CI compliance is enabled, Infracodebase automatically evaluates code on every pull request and posts the result as a GitHub Check Run. Developers see pass/fail status and inline annotations showing which files triggered failures, directly in the PR diff.

Setup

1. Install the Infracodebase GitHub App on your GitHub organization.
2. Connect a repo to a workspace in Infracodebase.
3. Add compliance rulesets to the workspace.
4. Go to Enterprise Settings > Compliance and enable "CI Compliance Checks."
5. Set your minimum score threshold (default is 80%).

No YAML files, workflow changes, or API keys are needed.

How it works

When a developer opens a PR or pushes new commits, GitHub sends a webhook to Infracodebase. Infracodebase clones the repo at the PR's commit SHA, runs the compliance agent against your rulesets, and posts the results back as a Check Run. Failed findings appear as inline annotations in the PR diff, pointing to the exact file and line.

Required rulesets and required rules

Enterprise rulesets marked as "required" guarantee coverage: they are always enabled on every workspace and cannot be disabled. This ensures all teams are evaluated against the same baseline standards. See Rulesets for more on required vs optional rulesets.

CI enforcement is controlled at the individual rule level. Rules marked as "required" act as hard gates. Any failure on a required rule fails the Check Run regardless of the overall score. This lets you mandate a broad ruleset across the organization while only hard-gating the specific rules that matter most for CI.

Branch protection

After enabling CI compliance, you can require the check to pass before merging. See GitHub's documentation on status checks for full details.

1. Go to your GitHub repo settings > Branches > Branch protection rules.
2. Enable "Require status checks to pass before merging."
3. Search for "Infracodebase Compliance" and add it as a required check.

Compliance settings

Compliance settings are in Enterprise Settings > Compliance.

• Auto Compliance Scoring. When enabled, the agent automatically evaluates compliance after each session.
• CI Compliance Checks. When enabled, evaluations run on every pull request via GitHub webhooks. Requires the GitHub App to be installed.
• Minimum Score to Pass. The threshold for CI checks (0-100%). PRs with a score below this fail the check. Required rules always fail regardless of this threshold.