Skip to main content
Pandorian integrates into your existing development workflow to enforce guidelines continuously and automatically. This guide covers setting up PR scanning, CI/CD integration, notifications, and more.

GitHub App & Pull Request Scanning

The fastest way to enforce guidelines is through automatic PR scanning via the GitHub App.

How PR Scanning Works

Once you install the Pandorian GitHub App (done during initial setup), you control PR scanning at the guideline level. This means you explicitly choose which guidelines should run automatically on pull requests. What happens during a PR scan:
  1. Developer opens or updates a pull request
  2. Pandorian scans only the modified files against guidelines configured for PR scanning
  3. Violations appear in two places:
    • Inline comments on specific lines of code where violations occur
    • Summary comment on the PR with an overview of all violations found
  4. The PR check appears in GitHub’s status checks (can be configured as required or optional)

Configuring Which Guidelines Run on PRs

PR scanning is controlled at the individual guideline level, giving you granular control over what gets enforced and when. When creating or editing a guideline:
  1. Navigate to the Guidelines page
  2. Create or edit a guideline
  3. Look for the Enforce On field (or scan level configuration)
  4. Choose the scope:
    • Full Scan - Runs only during manual full repository scans
    • Repository Scan - Runs during repository scans (same as Full)
    • PR Scan - Runs automatically on every pull request
    • All - Runs on both full scans and PR scans (recommended for most guidelines)
Best Practice: Set critical guidelines (security, production-readiness, API design standards) to PR Scan or All to catch issues before they’re merged. Use Full Scan for broader quality checks that don’t need immediate PR enforcement.

Managing PR Scan Results

When violations are found on a PR: Inline Comments:
  • Appear directly on the lines of code that violate guidelines
  • Include the guideline name, severity, and brief explanation
  • Link back to the full guideline in Pandorian dashboard
Summary Comment:
  • Posted at the PR level with a complete list of violations
  • Grouped by file and guideline
  • Includes violation counts and severity breakdown
Status Check:
  • Appears in GitHub’s checks section
  • Can be configured as a required check to block merges (recommended)
  • Links to detailed scan results in Pandorian dashboard

Repository-Level Configuration

To adjust which repositories use PR scanning:
  1. Navigate to the Repositories page in Pandorian
  2. Find your repository
  3. Toggle PR scanning on/off (enabled by default)
  4. Configure whether PR scan failures should block merges (in GitHub’s branch protection rules)

CI/CD Integration

For teams that want custom enforcement workflows, Pandorian provides an API for direct integration into CI/CD pipelines.

Integration Method

Pandorian uses direct API calls to trigger scans and retrieve results. This gives you full control over:
  • When scans run (on commit, nightly, before deploy, etc.)
  • How failures are handled (block pipeline, send notifications, generate reports)
  • Which guidelines to enforce in different environments

Guidelines as Code

Learn how to sync engineering standards directly from your repository

While you can create guidelines via the Pandorian Dashboard, many high-velocity teams prefer to manage their standards directly within their code repositories. This “Guidelines as Code” approach allows you to treat your engineering requirements as “breathing documentation” that evolves alongside your features. If your team already uses tools like Claude Skills or internal markdown files to guide AI coding assistants, you can sync those same files to Pandorian. This ensures that the rules your AI uses to write code are the exact same rules Pandorian uses to validate code at the Pull Request level / Full Codebase scans.

How it Works

  1. Source Selection: In the ‘Integrations’ tab you designate a specific repository and a “base directory” (e.g., /docs/guidelines) where your standards live.
  2. Automated Sync: Pandorian monitors this directory for .md files.
  3. Enforcement: Any change to these files triggers an update in Pandorian upon every merge to the main branch. These updated guidelines are then immediately enforced across all your associated repositories during scans.

File Structure & Metadata

To be recognized by Pandorian, each Markdown file must contain a YAML frontmatter block. This block includes a pandorian-metadata section that maps the file to the Pandorian engine.

Required Metadata Attributes

AttributeTypeDescription
idstringA unique identifier for the guideline (e.g., scala-expert).
languagestringThe target language (e.g., scala, python, etc).
titlestringThe clear, actionable name of the rule.
prioritystringThe importance level (e.g., high, medium, low).
categorystringThe area of focus (e.g., security, performance, architecture).
is_activebooleanToggle whether this guideline is currently being enforced.
tagslistA list of strings for easier filtering and organization.

Supported Categories

The category attribute must match one of the following supported values:
  • Architecture
  • Code Quality & Maintainability
  • Reliability & Resilience
  • Performance & Scalability
  • Security
  • Data & Storage
  • Infrastructure & Environments
  • Observability

Supported Languages

The language attribute must match one of the following supported values:
  • c
  • cobol
  • cpp
  • csharp
  • dockerfile
  • elixir
  • go
  • haskell
  • java
  • javascript
  • kotlin
  • lua
  • perl
  • php
  • python
  • ruby
  • rust
  • scala
  • swift
  • terraform
  • typescript

Implementation Example

Create a file named scala-expert.md in your designated guidelines directory: 
---
name: scala-expert
description: Guidelines for functional Scala 2.13.
pandorian-metadata:
  id: scala-expert
  language: scala
  title: Scala Functional Programming Expert
  priority: high
  category: code-quality
  is_active: true
  tags: [scala, functional-programming, cats, fs2]
---

# Scala Functional Programming Standards

You are an elite Scala developer. When writing or reviewing code, ensure:
- **Immutability First**: Always use `val` over `var` and prefer immutable collections.
- **Referential Transparency**: Effects must be properly tracked in the type system using `IO`.
- **Resource Management**: Use `Resource` for anything requiring cleanup (e.g., database connections).

### Prohibited Patterns
- Never use `null`. Use `Option` instead.
- Avoid `Thread.sleep`; use `IO.sleep` for non-blocking delays.

Configuration Steps

  1. Navigate to Integrations > Connections > Github in the Pandorian Platform
  2. Select the repository containing your .md files
  3. Provide the top-level directory path (e.g., /docs/guidelines)
  4. Save to trigger an initial scan and import your guidelines
Any subsequent commits to these files will trigger an update in Pandorian, ensuring your PR enforcement is always in sync with your latest standards.

GitHub Actions Integration

Here’s an example workflow that runs Pandorian scans on every push and blocks the pipeline if violations are found: 
name: Pandorian Code Enforcement

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  pandorian-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Trigger Pandorian Scan
        env:
          PANDORIAN_API_KEY: ${{ secrets.PANDORIAN_API_KEY }}
          PANDORIAN_ORG_ID: ${{ secrets.PANDORIAN_ORG_ID }}
        run: |
          SCAN_ID=$(curl -X POST https://api.pandorian.ai/v1/scans \
            -H "Authorization: Bearer $PANDORIAN_API_KEY" \
            -H "Content-Type: application/json" \
            -d '{
              "organization_id": "'$PANDORIAN_ORG_ID'",
              "repository": "'$GITHUB_REPOSITORY'",
              "commit": "'$GITHUB_SHA'",
              "scan_type": "commit"
            }' | jq -r '.scan_id')
          
          echo "SCAN_ID=$SCAN_ID" >> $GITHUB_ENV

      - name: Wait for Scan Completion
        env:
          PANDORIAN_API_KEY: ${{ secrets.PANDORIAN_API_KEY }}
        run: |
          while true; do
            STATUS=$(curl -s https://api.pandorian.ai/v1/scans/$SCAN_ID \
              -H "Authorization: Bearer $PANDORIAN_API_KEY" | jq -r '.status')
            
            if [ "$STATUS" = "completed" ]; then
              break
            elif [ "$STATUS" = "failed" ]; then
              echo "Scan failed"
              exit 1
            fi
            
            sleep 10
          done

      - name: Check for Violations
        env:
          PANDORIAN_API_KEY: ${{ secrets.PANDORIAN_API_KEY }}
        run: |
          VIOLATIONS=$(curl -s https://api.pandorian.ai/v1/scans/$SCAN_ID/violations \
            -H "Authorization: Bearer $PANDORIAN_API_KEY" | jq '.total_violations')
          
          if [ $VIOLATIONS -gt 0 ]; then
            echo "Found $VIOLATIONS guideline violations"
            echo "View details: https://app.pandorian.ai/scans/$SCAN_ID"
            exit 1
          else
            echo "No violations found"
          fi
Configuration:
  1. Generate an API key from Pandorian dashboard (Settings → API Keys)
  2. Add secrets to your GitHub repository:
    • PANDORIAN_API_KEY
    • PANDORIAN_ORG_ID
  3. Commit the workflow file to .github/workflows/pandorian.yml

CircleCI Integration

version: 2.1

jobs:
  pandorian-scan:
    docker:
      - image: cimg/base:stable
    steps:
      - checkout
      
      - run:
          name: Trigger Pandorian Scan
          command: |
            SCAN_ID=$(curl -X POST https://api.pandorian.ai/v1/scans \
              -H "Authorization: Bearer $PANDORIAN_API_KEY" \
              -H "Content-Type: application/json" \
              -d '{
                "organization_id": "'$PANDORIAN_ORG_ID'",
                "repository": "'$CIRCLE_PROJECT_USERNAME/$CIRCLE_PROJECT_REPONAME'",
                "commit": "'$CIRCLE_SHA1'",
                "scan_type": "commit"
              }' | jq -r '.scan_id')
            
            echo "export SCAN_ID=$SCAN_ID" >> $BASH_ENV
      
      - run:
          name: Wait for Scan and Check Results
          command: |
            # Wait for completion (similar logic to GitHub Actions)
            # Check violations and exit with code 1 if found

workflows:
  main:
    jobs:
      - pandorian-scan

Blocking vs Reporting Mode

Blocking Mode (recommended for production):
  • Pipeline fails if violations are found
  • Prevents non-compliant code from being deployed
  • Set exit code 1 when violations > 0
Reporting Mode (useful for gradual rollout):
  • Pipeline continues regardless of violations
  • Scan results logged for visibility
  • Set exit code 0 always, just log violations
Choose your mode by adjusting the final step’s exit code behavior.

Policy as Code

Policy as Code lets you configure repository-level enforcement policy directly in Git, so Pandorian knows which guidelines to run and when to block pull requests - without requiring you to set these rules outside your codebase. The policy is defined inside the repo (using the .Pandorian/.policy file), and we apply it on every full / PR scan.

Example Policy

repository_guidelines_tags:
  - guideline_tag: v2

severity_thresholds:
  - severity: High
    block_on_greater: 1
  - severity: Critical
    block_on_greater: 2
  - severity: Medium
    block_on_greater: 5

What this configuration means

  • Scan scope: Scan this repository only for guidelines tagged with v2.
  • Enforcement: For scan results, Pandorian uses severity thresholds to decide when to block the PR (merge-gating).
Specifically:
  • High: Block when there are more than 1 High findings.
  • Critical: Block when there are more than 2 Critical findings.
  • Medium: Block when there are more than 5 Medium findings.

Repository Policy Schema

The following schema defines the policy rules available for a specific repository. 
# RepositoryPolicy Schema
# Defines policy rules for a specific repository within an organization

# Unique identifier for the repository this policy applies to.
# Links the policy configuration to a specific codebase.
repository_id: string  # required

# Severity threshold rules that determine when the system should warn or block.
# Used to enforce code quality gates based on issue severity counts.
severity_thresholds:  # optional
  # The severity level this threshold applies to (e.g., "critical", "high", "medium", "low").
  - severity: string
    # Number of issues at this severity that triggers a blocking error.
    # If the count exceeds this value, the check fails.
    block_on_greater: int

# Rules for excluding files or directories from analysis.
# Useful for ignoring vendor code, generated files, or other paths that shouldn't be scanned.
exclusions:  # optional
    # The matching strategy to use:
    #    - exact:   Matches files where the filename exactly equals the value
    #    - prefix:  Matches files where the filename starts with the value
    #    - suffix:  Matches files where the full path ends with the value (e.g., ".gen.go")
    #    - dir:     Matches if any directory component in the path equals the value (e.g., "vendor", "node_modules")
    #    - pattern: Uses glob pattern matching against the filename (e.g., "*.test.js")
  - type: string
    # The value to match against, interpreted based on the type above.
    value: string
    # Whether the match should be case-sensitive.
    # When false, both path and value are lowercased before comparison.
    case_sensitive: bool

# Rules for associating guidelines with this repository based on tags.
# Allows selective application of organizational guidelines to specific repos.
repository_guidelines_tags:  # optional
  # The tag identifier that links to a set of guidelines.
  # Guidelines with matching tags will be applied during analysis.
  - guideline_tag: string

Comprehensive Configuration Example

This example demonstrates a full .Pandorian/.policy file configuration including guideline tagging, severity thresholds, and exclusion rules. 
# Repository Policy Configuration Example
# ========================================

# Guidelines Configuration
# ------------------------
# This repository will be analyzed using guidelines tagged with "v2".
# Only guidelines that have the "v2" tag will be applied during code analysis.
repository_guidelines_tags:
  - guideline_tag: v2

# Severity Thresholds
# -------------------
# These thresholds define the quality gates for this repository.
# The system evaluates issue counts against these rules to determine pass/fail status.
severity_thresholds:
  # High Severity: Strict enforcement
  # Blocks the pipeline if more than 1 High severity issue is found (i.e., 2+)
  - severity: High
    block_on_greater: 1

  # Critical Severity: Slightly more lenient count, but still important
  # Blocks if more than 2 Critical issues are found (i.e., 3+)
  - severity: Critical
    block_on_greater: 2

  # Medium Severity: More permissive threshold
  # Blocks only if more than 5 Medium issues are found (i.e., 6+)
  - severity: Medium
    block_on_greater: 5

# Exclusion Rules
# ---------------
# These rules define which files/directories should be skipped during analysis.
# Useful for ignoring third-party code, generated files, or test fixtures.
exclusions:
  # Exclude all vendor directories (common in Go projects)
  # Matches any path containing a "vendor" directory component
  # e.g., "src/vendor/pkg/file.go", "vendor/module/main.go"
  - type: dir
    value: vendor
    case_sensitive: true

  # Exclude generated protobuf files
  # Matches any file ending with ".pb.go"
  # e.g., "api/service.pb.go", "proto/messages.pb.go"
  - type: suffix
    value: .pb.go
    case_sensitive: true

  # Exclude all test files using glob pattern
  # Matches filenames like "user_test.go", "handler_test.go"
  - type: pattern
    value: "*_test.go"
    case_sensitive: true

  # Exclude node_modules directory (for JS/TS projects)
  # Matches any path with "node_modules" as a directory component
  - type: dir
    value: node_modules
    case_sensitive: true

  # Exclude a specific generated file by exact name
  # Only matches files named exactly "generated_mocks.go"
  - type: exact
    value: generated_mocks.go
    case_sensitive: true

  # Exclude all files starting with a dot (hidden files)
  # Matches ".gitignore", ".eslintrc", etc.
  - type: prefix
    value: "."
    case_sensitive: false

Slack Integration

Get notified when scans complete and violations are found.

Setting Up Slack Notifications

  1. Navigate to Settings → Integrations in Pandorian dashboard
  2. Click Connect Slack
  3. Authorize Pandorian to access your Slack workspace
  4. Choose which channel receives notifications
  5. Configure notification preferences:
    • Scan completion (all scans or only failed scans)
    • New violations found
    • Scan summary reports

Notification Types

Scan Completion:
  • Triggered when any scan finishes
  • Includes violation count, severity breakdown, and link to results
New Violations:
  • Alerts when new violations are introduced (PR scans)
  • Shows file paths and guideline names
Daily/Weekly Summaries:
  • Aggregated reports of organization-wide compliance
  • Trends and improvement metrics

Enforcement Layer Positioning

Pandorian is designed as an enforcement layer that sits above your development tools—agnostic to how code is written (Cursor, Windsurf, manual reviews, AI review tools) and flexible in how it’s integrated.

Integration Models

Model 1: Parallel to CI/CD
  • Pandorian runs alongside your existing CI/CD pipeline
  • Catches issues that traditional linters and tests miss
  • Works as an additional required check before merge
Model 2: As a CI/CD Check
  • Pandorian integrated directly into your pipeline (via API)
  • Runs after tests, before deployment
  • Blocks deployment if critical violations found
Model 3: GitHub App Only
  • Simplest setup—no CI/CD configuration required
  • Automatic enforcement on all pull requests
  • Developers see violations immediately in their workflow
Most teams use a combination: GitHub App for PR feedback + CI/CD integration for pre-deployment validation.

VS Code Extension (Coming Soon)

We’re building a VS Code extension that will bring Pandorian directly into your editor: Planned Features:
  • Real-time guideline enforcement as you write code
  • Inline suggestions and quick fixes
  • Browse and search your organization’s guideline catalog
  • One-click scanning of open files or workspace
  • Integration with AI coding assistants
Stay tuned for the beta release.

Best Practices

Start with PR Scanning: Enable automatic PR scanning first—this gives developers immediate feedback without additional configuration. Use CI/CD for Critical Paths: Add CI/CD integration for production deployments where you need absolute enforcement. Configure Severity Appropriately:
  • High severity → Block merges/deployments
  • Medium severity → Require review/acknowledgment
  • Low severity → Report only, don’t block
Gradual Rollout: When introducing Pandorian to an existing codebase, start in reporting mode, identify violation trends, then enable blocking gradually.

Troubleshooting

PR scans not running:
  • Verify GitHub App is installed for the repository
  • Check that guidelines have PR Scan enforcement enabled
  • Confirm repository has PR scanning active (Repositories page)
CI/CD pipeline failing:
  • Verify API key is valid and has correct permissions
  • Check API endpoint URLs are correct
  • Ensure scan completion polling doesn’t timeout
Too many false positives:
  • Refine guideline descriptions to be more specific
  • Adjust enforcement scope (Full vs PR vs All)
  • Contact support for guideline tuning assistance (Pro and Enterprise tiers only)

Need Help?