Skip to main content
This guide will walk you through setting up Pandorian and experiencing the core value: writing an engineering guideline in natural language, running a scan, and finding violations instantly. Time to first scan: ~10 minutes

Prerequisites

  • Account with access to at least one repository
  • Repository admin permissions (required to install the source control integration)

Step 1: Sign Up and Connect Your Source Control

  1. Visit app.pandorian.ai
  2. Click Sign Up
  3. Connect your source control provider — Pandorian supports GitHub, GitLab, and Azure DevOps
  4. Complete the app installation and choose which repositories to connect
Once connected, you’ll see your repositories in the Pandorian dashboard.

Step 2: Create Your First Guideline

You have two options: create a custom guideline from scratch, or import from an existing source.

Option A: Create a Custom Guideline

  1. Navigate to the Guidelines page
  2. Click + New Guideline (top right)
  3. Select Create Guideline
  4. Fill out the guideline form:
    • Guideline ID: A unique identifier (e.g., SEC-001, PERF-002)
    • Category: Select a category (Security, Performance, Code Quality, etc.)
    • Language: Choose the programming language(s) this applies to
    • Title: Clear, actionable name for your rule
    • Description: Write your guideline in natural language. Be specific about what should or shouldn’t happen in the code.
    • Enforcement Mode: Set to Block (fails CI/CD on violation) or Monitor (surfaces violations without blocking)
    • Enforce On: Which repositories this guideline applies to (default: ALL)
    Example guideline: Title: Production Flask Applications Must Use Production-Ready WSGI Servers Description: Flask’s built-in development server must not be used in production environments. Applications must use production WSGI servers like Gunicorn, uWSGI, or Waitress with proper worker configuration to handle concurrent requests.
  5. Click Create Guideline

Option B: Import Guidelines

Pandorian supports multiple import sources so you can turn existing documentation into live enforcement immediately:
  • Confluence — import directly from your team’s Confluence pages
  • Markdown files — upload any internal documentation or standards docs
  • Pandorian Catalog — 2,000+ pre-built best practices across Python, JavaScript, TypeScript, Java, Go, Scala, and more
  • Policy as Code — import structured policy definitions directly
Browse or search by language, category, or priority and add guidelines to your organization in one click. Your first guidelines are set up. Every PR on your selected repositories will now be scanned against them. For advanced usage, see Policy as Code to define where and when specific guidelines are enforced.

Step 3: Review Scan Findings

Once PRs start running, they will be scanned against your guidelines. There are two ways to view findings — per scan or per guideline. Per Scan: Navigate to the Scans page to see a list of all completed scans, sorted by most recent. Scans containing violations are flagged with a red violations icon. Click a scan to see the non-compliant files, then click a file to expand and view the violation description. Click View Code to see the violation within the code snippet. Per Guideline: Navigate to the Guidelines page. Any guideline with open violations displays a badge with the violation count. Click the badge to view all violations, and click any violation to view it within the code snippet.

Step 4: Take Action on Violations

View in Context: Click View Code to see the exact violation location with line numbers highlighted and guideline details in the side panel. Generate Fix Instructions: Click Generate Fix to create a markdown document with full context, step-by-step remediation instructions, and code suggestions. Feed this directly to AI coding tools like GitHub Copilot, Cursor, or Claude to implement fixes. Create a Jira Ticket: From the violations view, click Create Issue to open a pre-populated Jira ticket containing all open violations for that guideline. See Jira Integration for setup instructions. Archive: Archive findings that are no longer relevant to exclude them from reporting and future Jira tickets. Rescan: After updating a guideline or resolving violations, click Rescan to re-trigger the scan on an existing PR with the current set of active guidelines.