Manage
Use these workflows to create, import, organize, and enrich the guidelines that Pandorian enforces.Creating a Guideline from Scratch
Create a custom guideline when you want Pandorian to enforce a rule that is specific to your engineering organization, architecture, frameworks, internal libraries, or coding standards. To create a guideline:- Navigate to the Guidelines page.
- Click + New Guideline.
- Select Guideline.
- Fill in the required fields.
- Click Save changes.
- Guideline ID: A unique, manually defined identifier for the guideline.
- Title: A clear name for the rule.
- Description: The actual instruction Pandorian should enforce.
- Category: The engineering area this guideline belongs to.
- Language: One or more languages this guideline applies to.
- Blocked mode: Whether the guideline runs in Monitor mode or blocks the build.
- Active or inactive: Whether the guideline is currently enforced.
- Architecture
- Code Quality and Maintainability
- Data and Storage
- Infrastructure and Environments
- Observability
- Performance and Scalability
- Reliability and Resilience
- Security
Writing a strong guideline
A good guideline is specific, enforceable, and written in a way that Pandorian can evaluate against code. Strong guidelines usually include:- The rule the code must follow.
- The reason the rule exists.
- Examples of compliant or non-compliant patterns.
- Any important exceptions.
- Language, framework, or architecture context.
All database credentials must be loaded from environment variables or a secrets manager. Do not hardcode usernames, passwords, tokens, or connection strings directly in source code.This guideline is enforceable because it names the risky pattern, describes the expected behavior, and gives Pandorian enough context to identify violations. Weak example:
Write secure code.This guideline is too broad. It does not explain what secure code means, which patterns should be rejected, or what compliant code should look like. For deeper guidance on authoring enforceable guidelines, see Authoring Enforceable Guidelines.
Testing a new guideline
After creating a guideline, test it with a PR scan when possible. PR scans are usually the best way to validate a new guideline because they focus on changed code and give you faster feedback. You can also run a full repository scan, but full scans may be limited depending on your plan and should be used more selectively. A recommended rollout is:- Create the guideline.
- Start in Monitor only mode.
- Run it against a PR.
- Review the violations.
- Refine the guideline if needed.
- Move to Block Build only after you trust the results.
Importing Guidelines from Confluence or Markdown
Use imports when your engineering standards already exist in another place, such as Confluence pages or Markdown files used by engineering teams or AI coding agents. To import guidelines:- Navigate to the Guidelines page.
- Click + New Guideline.
- Choose one of the import options:
- from Confluence
- from File
- from Catalog
Importing from Confluence
Use the Confluence import when your engineering standards live in Confluence. The flow is:- Connect your Confluence workspace.
- Choose a Confluence space.
- Select the page you want to import.
- Let Pandorian extract potential guidelines from the page.
- Review and edit the extracted guidelines.
- Save the guidelines you want to use.
Importing from Markdown
Use Markdown import when you have standards written in.md files.
The flow is:
- Click + New Guideline from the Guidelines page.
- Select from File.
- Upload a
.mdfile. - Review the guidelines Pandorian extracts.
- Edit and save the guidelines you want to use.
.md files, you can upload those files to Pandorian and turn the same instructions into enforceable guidelines.
When to use Guidelines as Code instead
Use Guidelines as Code when your team wants to manage guidelines directly from Git and review guideline changes through pull requests.Guidelines as Code
Guidelines as Code lets teams manage Pandorian guidelines from Markdown files in Git. This is useful when engineering standards should be versioned, reviewed, and updated through the same workflow as code. Teams can use this to keep internal Markdown guidelines or AI coding assistant skill files aligned with the rules Pandorian enforces. Guidelines as Code is configured through the source control integration. For setup details, see Guidelines as Code.Using the Guidelines Catalog
The Guidelines Catalog gives you a starting point for common engineering standards across supported languages and categories. To import a catalog guideline:- Navigate to the Guidelines page.
- Click + New Guideline.
- Select from Catalog.
- Browse or search for a guideline.
- Import the guideline into your organization.
- Choose its enforcement mode.
- Add tags if you want to use it with scan policies.
Dynamic Context Providers
Some guidelines need live context, not just static text. Dynamic Context Providers let guidelines evaluate code against real-time data, such as approved libraries, internal API routes, active feature flags, or configuration flags. A provider can be configured with:- Title
- Command
- Grep
- Timeout
Scope
Use scoping to control where guidelines run, which code they apply to, and which files Pandorian should ignore.Scoping Guidelines
Scoping lets you decide which guidelines should run against which repositories, languages, paths, or parts of the codebase. Pandorian supports scoping by repository, language, guideline tags, and paths. Use scoping to make sure each guideline runs only where it is relevant.Scan Policies
Scan Policies let you define exactly where and how guidelines run — which paths to ignore, and which guideline groups to scope to specific files or directories. Repo-level overrides take precedence over org-level defaults. Navigate to Scan Policies in the Pandorian dashboard to configure.Organization Policy
Organization-level policy applies across all repositories by default. Ignored Paths: Paths that should never be scanned, applied to all guidelines. Use this to exclude vendor code, generated files, test fixtures, or any directory that shouldn’t be subject to enforcement. Click Ignore a path to add an exclusion. Guideline Scoping: Restrict a guideline group to specific paths only. Rather than running all guidelines across the entire codebase, scoping rules let you target enforcement by tag — for example, applying security guidelines only to the auth service, or data guidelines only to migration files. Click Add scoping rule to configure.Repository Overrides
Repository overrides let you customize scan policy for a specific repository, overriding the organization defaults. This is useful when a particular repo has different conventions, third-party code that should be excluded, or guidelines that only apply in that context. Click Add repository override to configure.Examples
Ignoring test files across all repositories: Test files shouldn’t be subject to the same enforcement as production code. Add your test file glob patterns as ignored paths — Pandorian will skip those files across all guidelines without any per-guideline configuration. Scoping compliance guidelines to sensitive services: Your organization has a set of guidelines taggedpci-compliance. Rather than running them across every repository, create a scoping rule that restricts them to repos or paths containing payment processing code. Every other repo is unaffected.
Scoping security guidelines to the auth layer:
Security guidelines tagged auth should only apply to the /src/auth directory. Set a scoping rule so those guidelines run exclusively on that path — reducing noise in unrelated parts of the codebase while enforcing strictly where it matters.
Overriding org defaults for a legacy repository:
Your org-wide policy excludes test files from scanning. A legacy repo requires the opposite — tests are the only place certain patterns are enforced. Add a repository override to configure a different ignored paths policy for that repo without affecting the rest of the organization.
Policy as Code
Policy as Code lets you configure repository-level settings as code, so Pandorian knows which guidelines to run and when to block pull requests without managing these rules outside the codebase. A Pandorian policy is defined in a.Pandorian/.policy file inside the repository and applies to both full repository scans and PR scans.
Policy as Code can define:
- Which guideline tags apply to the repository.
- Which files or directories should be excluded from scans.
- Which guideline tags should apply only to specific paths.
Enforce
Use these workflows to run scans, review violations, and enforce guidelines in pull requests.Running a Repository Scan
Pandorian supports two scan types:- Full repository scans
- PR scans
Running a full repository scan
To run a full repository scan:- Navigate to the Repositories page.
- Select the repository you want to scan.
- Click the play button.
- Choose the guideline you want to scan against.
- Start the scan.
Running a PR scan
PR scans run automatically after source control is connected. A PR scan is triggered when:- A new pull request is opened.
- A developer pushes updates to an existing pull request.
- A pull request is reopened.
Reviewing scan results
Scan results show:- Repository
- Scan ID
- Violations count
- Duration
- Status
- Guidelines checked
Viewing Violations from the Scans Page or Guidelines Page
Pandorian gives you two main ways to view violations: from the Scans page or from the Guidelines page. Use the Scans page when you want to review the result of a specific scan. Use the Guidelines page when you want to understand all violations related to a specific guideline.Viewing violations from the Scans page
The Scans page is best for reviewing scan-level results. Each scan shows information such as:- Started At
- Scan ID
- Violations
- Duration
- Status
- Repository
- Pull request, when relevant
- Scan type
- PR status
- Date range
- Repository
- With violations
- Without violations
- Opened
- Merged
- Closed
Viewing violations from the Guidelines page
The Guidelines page is best for understanding violations by guideline. From the Guidelines page, open a guideline or click its violation badge to see violations related to that rule across scans. This view is useful when you want to understand how widespread a guideline violation is, which repositories are affected, or whether a guideline is ready to move from Monitor mode to Block Build mode.Setting Up PR Enforcement as a CI Check
Pandorian integrates with source control so guidelines can be enforced directly in pull requests. Supported source control providers include:- GitHub
- GitLab
- Azure DevOps
Monitor mode
Monitor mode reports violations without blocking the build. Use Monitor mode when introducing new guidelines, testing guideline quality, or rolling Pandorian out gradually across teams. In Monitor mode, developers and engineering leaders can see violations, but the build is not blocked.Block Build mode
Block Build mode blocks the build when violations are found. Use Block Build mode only after you have validated the guideline and trust the results. A recommended rollout is:- Start in Monitor mode.
- Review real violations over time.
- Refine the guideline if needed.
- Move to Block Build mode when the team is confident in the rule.
Skipping a CI check
For a specific scan, you can skip the CI check from the Scans page. Click Skip CI Check to skip blocking behavior for that scan. The scan still runs, but the CI check is skipped for that specific PR.Reading Violation Reports
Violation reports show where code does not comply with a guideline and what the developer can do next. A violation report can include:- Guideline title
- Repository
- File path
- Line number
- Code snippet
- Explanation
- Fix suggestion
Viewing the affected code
Click View Code to inspect the relevant code around the violation. Use this when you want to understand the exact context before taking action.Generating a fix
Click Generate Fix to create remediation instructions. Generate Fix produces Markdown instructions that can be copied into an AI coding agent or used by a developer. The Markdown includes code suggestions, but it does not automatically create a patch or pull request.Archiving a violation
Click Archive Violation when a finding is no longer relevant. Archived violations are excluded from future Jira ticket creation and reporting views. Use archive for findings that are accepted, irrelevant, or no longer useful to track.Creating Jira issues
If Jira is connected, Pandorian can create Jira issues from guideline violations. From the Guidelines page, click the violation badge on a guideline, then click Create Issue. Pandorian generates a ticket draft containing all current open violations for that guideline in bulk. Before creating a Jira ticket, archive irrelevant violations so they are not included in the generated issue. For Jira setup details, see Jira Integration.Admin
Use these workflows to bring your team into Pandorian and manage access.Onboarding Users
Admins can invite users from the Users page. To invite a user:- Navigate to the Users page.
- Click Invite user.
- Enter the user’s name.
- Enter the user’s email address.
- Choose a role.
- Send the invite.
Roles
Pandorian supports four roles: Owner Full access to all organization settings and resources. Use this for the person responsible for the Pandorian organization, billing, security-sensitive settings, and top-level administration. Admin Administrative access with user management capabilities. Use this for team members who need to manage users and help administer the organization. Maintainer Can manage repositories and guidelines. Use this for platform engineers, architects, or engineering leads who own guideline creation, repository setup, and day-to-day rule management. Member Basic access to view and contribute. Use this for developers or stakeholders who need access to Pandorian but should not manage organization-wide settings.SSO
Pandorian supports SSO for enterprise authentication. SSO is not self-serve in the product today. Contact the Pandorian team to configure SSO for your organization. Pandorian supports common SSO setups, including providers such as:- Google Workspace
- Microsoft Entra ID or Azure AD
- Okta
- OneLogin
