Skip to main content

What is a Guideline?

A guideline is a software development rule or best practice written in natural language that explicitly declares an allowed or disallowed pattern — for example, “Always require…” or “Never allow…”. Guidelines are defined in Pandorian and subsequently enforced across your codebase.

Anatomy of a Guideline

Every guideline consists of: Title: A clear, actionable name that describes the rule (e.g., “Database Queries Must Use Parameterized Statements” or “Microservices Must Own Their Data Storage”) Description: The rule written in natural language — what should or shouldn’t happen in the code, including context, reasoning, and any exceptions. You can enrich the description with:
  • Good examples showing compliant patterns
  • Bad examples showing what to avoid
  • Specific frameworks, libraries, or internal conventions to reference
  • Any existing Markdown file can be pasted directly into the description
Tags: Metadata that allows you to assign and scope each guideline. Category: The area of focus, such as Security, Architecture, Performance, or API Design. See the full category list below. Enforcement Mode: Block to block CI/CD and prevent merge on violation, or Monitor to surface violations without blocking development. Languages: Scopes the guideline to specific languages. Pandorian supports 20+ languages including Python, Java, JavaScript, TypeScript, Go, Scala, and more. See all supported languages. Dynamic Context Providers (optional): Connect external data sources to your guideline so enforcement stays in sync with your real-world configuration. Instead of hardcoding lists into the description, Pandorian fetches live context at scan time — for example, an approved library allowlist from your internal registry, or a list of sanctioned API routes from your API gateway. See Dynamic Context Providers.

Guideline Examples

Security: “All database operations must use parameterized queries instead of string concatenation to prevent SQL injection attacks. Never concatenate user input directly into SQL strings.” Performance (C#): “Long-running operations must implement graceful cancellation using CancellationToken with periodic checks using ThrowIfCancellationRequested() within bounded time periods.” Reliability & Resilience: “Systems must maintain partial functionality during network partitions using circuit breakers, fallback mechanisms, and feature toggles that preserve core services.” Guidelines capture your team’s standards, architectural decisions, security requirements, and performance best practices in a centralized, enforceable format. They work across your entire tech stack and automatically adapt to your codebase’s specific context.

Scans

Pandorian offers two scan modes depending on what you need. PR Scan: Analyzes only the changes introduced in a pull request. Runs via your source control integration (GitHub, GitLab, or Azure DevOps). Violations are flagged in the Pandorian UI for engineering managers to review and analyze, posted as inline comments on the PR, and surfaced as a status check in CI. When is this used: This is the day-to-day operating mode for Pandorian customers — enforcing guidelines on new code as it is written. Full Repo Scan: Analyzes an entire repository against selected guidelines. When is this used: For audits, onboarding new repositories, or getting a complete picture of where your codebase stands against your guidelines.

Violations

A violation is the result of scanned code that violates a guideline. Each violation includes the file path, line range, and an explanation of why the code violates the guideline.

Enforcement

Pandorian supports two enforcement modes: Monitor — surfaces violations for visibility without interrupting development. Block — blocks CI/CD pipelines and prevents merge when a violation is detected.