What does policy as code review actually mean?

It means your team's review rules live in files the AI reviewer reads on every pull request. Each rule is a markdown file with a YAML frontmatter for scope (path globs, severity, language) and an Instructions section in plain English. Architecture boundaries, security patterns, naming conventions, compliance checks all become version-controlled rules.

Can I scope a rule to a specific folder?

Yes, through the path field. A rule with path: services/payments/** only fires on diffs that touch that folder. Rules inherit Global to Repository to Directory, with directory scoping via path globs. Branch-level scoping is not supported today.

Does Kodus learn from past PR comments?

Yes, through Automatic Rules Generation. Kodus reads 3+ months of historic review comments, clusters the patterns your team enforces by hand, and surfaces them as draft rules. Generated rules are not active by default. You review them and import the ones you want enabled. Updates run weekly after the initial generation.

What can a rule actually do on a PR?

A rule emits a finding with a severity level (low, medium, high, critical). The Policy layer decides what to do with it: by default, Kody posts non-blocking suggestion comments. Optionally, Request Changes makes high or critical findings mark the review as changes-requested. Or Auto-approve when no findings hit the configured floor.

Policy as code review.

Open source AI code review without vendor lock-in. Write your team's review rules as markdown files with a YAML frontmatter. Kodus reads them, scopes them by path or PR shape, and enforces them on every pull request. Same files your IDE already reads (Cursor, Claude Code, Copilot, Windsurf) get picked up automatically.

See policy examples Read the docs

Star the repo · See pricing

policy → pull request // 2 steps

01 Write this rule .kody/rules/no-console-in-prod.md

---
title: "No console.log in production code"
scope: "file"
path: ["src/**/*.ts", "src/**/*.tsx"]
severity_min: "medium"
languages: ["jsts"]
enabled: true
---
## Instructions
Flag any console.log left in production
files. Use the logger module instead.

02 Kody enforces on PR PR #1284 · kody review

src/api/users.ts:42

kody · severity: medium

Console.log statement found in production code. Replace with the project logger, or remove if no longer needed.

rule: no-console-in-prod · .kody/rules/

What it is

Policy as code review is when a team writes its review rules as files the AI reviewer reads on every pull request. The rules live in markdown files (or the dashboard), with a YAML frontmatter for scope and a plain-English instructions section. Architecture constraints, security patterns, naming conventions, and compliance checks become version-controlled rules that run automatically.

Why this matters

Generic AI review misses your team's rules.

Most AI code reviewers run the same generic checks on every codebase. Static analyzers stop at syntax-level patterns. Both miss the rules that actually matter to your team: where the domain boundary is, which decorators are required on PII endpoints, what naming convention repository methods follow. Three things happen when those rules live only in human heads.

Generic AI gives generic feedback

An out-of-the-box reviewer suggests “extract a function” on code that violates a hard architecture rule it has never been told about. The PR looks approved on style and gets merged. The boundary breaks silently.

Static analyzers stop at syntax

ESLint and SonarQube catch syntax patterns. They cannot tell you that the new endpoint forgot the audit-log decorator your compliance team requires, or that the service skipped the domain port and called infrastructure directly. Those rules are semantic, not syntactic.

Tribal knowledge does not scale

Senior engineers carry the rules in their heads and catch violations in PR comments. New hires miss the same things. Reviews become inconsistent depending on who is online. There is no audit trail, no enforcement, no way to onboard a junior on the team's actual standards.

Rules in your repo

You write the rules. Kodus enforces them.

Policies live where every other engineering artifact lives. In version control, on a branch, behind a pull request. Four guarantees ship with the policy layer by default.

01 ━

Markdown files plus instructions

YAML frontmatter for scope (title, path globs, severity, language). A ## Instructions section for the rule body in plain English. No plugin SDK, no AST queries, no XPath.

02 ━

Reuses your IDE rule files

Kodus auto-detects .cursorrules, CLAUDE.md, .windsurfrules, .github/copilot-instructions.md, and a few more. Whatever your team wrote for their IDE works for the AI reviewer too.

03 ━

Inherits Global to Directory

One rule set across the org, repository-level overrides, directory-level via path globs. Five teams in one monorepo run five overlapping rule sets without conflict.

04 ━

Generates rules from PR history

Automatic Rules Generation reads three plus months of your review history, clusters the patterns your team already enforces by hand, and proposes them as draft rules. You review and import the ones you want active.

How it works

Three places rules can live. Same engine reads all of them.

Kodus reads rules from .kody/rules/, from the IDE rule files your team already maintains, and from the Kodus dashboard. All three converge into one rule set on every pull request.

option 01

Markdown files in the repo

Drop a markdown file under .kody/rules/ (or rules/ at the repo root). YAML frontmatter for scope, a ## Instructions section for the rule body.

---
title: "PII endpoints need @AuditLog"
scope: "file"
path: ["src/api/users/**"]
severity_min: "high"
---
## Instructions
Block endpoints touching personal
data without the @AuditLog decorator.

option 02

Your existing IDE rule files

Kodus auto-detects rule files your team already keeps for IDEs and agentic coding tools. Same content, two consumers (the IDE and the AI reviewer).

# Auto-detected:
.cursorrules
CLAUDE.md
.windsurfrules
.github/copilot-instructions.md
.sourcegraph/**/*.rule.md
.aider.conf.yml

option 03

Dashboard at app.kodus.io

Author rules in the web UI under Code Review Settings → Repository → Kody Rules. Browse the Discovery Rules library and import presets (Security, Maintainability, Testing) with one click.

# Discovery Rules categories
Security
Maintainability
Style conventions
Testing
Performance
Custom (your own)

Policy categories

Six kinds of rules, all the same syntax.

Architecture boundaries, security patterns, API contracts, performance traps, naming conventions, compliance checks. Each one is a markdown file with a path glob and a severity floor. Real shapes below, all valid Kody Rule frontmatter.

architecture

Layer boundaries

Domain layer cannot import from infrastructure layer. Anything that crosses must go through a port.

path: src/domain/** · severity_min: high

security

Required decorators on PII

All endpoints handling personal data must use the @AuditLog decorator. Flag the PR with a critical severity finding.

path: src/api/users/** · severity_min: critical

api contracts

Public surface, public contract

Public methods in services must have OpenAPI annotations. Surface as a medium-severity suggestion when missing.

path: src/services/** · severity_min: medium

performance

No N+1 in hot paths

No N+1 query patterns in route handlers. Flag any loop that issues a query inside another iteration.

path: routes/api/** · severity_min: high

style conventions

Repository method prefixes

Repository methods must follow findBy, getBy, or listBy prefixes. Surface as a low-severity rename suggestion.

path: **/repositories/** · severity_min: low

testing

New endpoints need tests

When a new API route is added, ensure corresponding tests are included in the PR.

scope: pull_request · severity_min: high

Inheritance

Global to Repository to Directory. Same engine.

Rules inherit down three levels. A global rule covers every repo. A repository rule overrides for that repo. A directory-scoped rule (via path globs) overrides for that folder. One markdown file per rule, one engine reading all of them.

monorepo/ · rule files scoped by path globs

monorepo/
└── .kody/rules/
    ├── no-console-in-prod.md      path: src/**/*.ts
    ├── domain-import-guard.md     path: src/domain/**
    ├── audit-log-on-pii.md        path: src/api/users/**
    ├── api-needs-openapi.md       path: services/**/*.ts
    ├── new-endpoint-needs-tests.mdscope: pull_request
    └── no-direct-db-in-routes.md  path: routes/api/**

Path globs do the per-team scoping. A rule with path: services/payments/** only fires on diffs that touch that folder. A rule with scope: "pull_request" looks at PR-level metadata (title, files changed, author) instead of file diffs.

What the bill looks like

Two invoices. One difference.

Bundled-vendor pricing hides what the inference actually costs. BYO LLM splits the bill cleanly: orchestration on one side, inference on the other, both audited by you. Example below uses a 50-developer team on annual rates, running ~30 PRs per developer per month on Claude Sonnet 4.6.

Bundled vendor INV-2026-04 · CodeRabbit Pro (annual)

50 seats · Pro · $48/dev $2,400.00

Inference (bundled) hidden in seat fee

Markup on inference unknown

Monthly total $2,400.00

Inference cost is folded into the per-seat price. You cannot tell what the model actually costs or what margin sits on top. Monthly billing pushes this to $3,000 ($60/dev).

Kodus BYO INV-2026-04 · Kodus + your Anthropic account

50 seats · Teams · $8/dev annual $400.00

Inference (Anthropic, passthrough) $418.20

Markup on inference $0.00

Monthly total $818.20

Two invoices, two providers, two line items you can take to finance. The inference invoice comes from Anthropic with your seat count, your token usage, your spend cap.

Monthly delta in this example − $1,581.80 66% lower at annual rates, even bigger at monthly billing. And the inference number is yours to optimize (Haiku for triage, Sonnet for review, internal vLLM for the sensitive repos).

Numbers above use public list pricing as of 2026-05 on annual prepay: CodeRabbit Pro at $48/dev/month (or $60/dev/month if billed monthly), Kodus Teams at $8/dev/month (or $10/dev/month if billed monthly), Anthropic Claude Sonnet 4.6 at list passthrough rates. Inference estimate assumes ~3.5k input + ~600 output tokens per PR review across 1,500 reviewed PRs/month. Your bill will vary with model choice, PR size, and rule depth. Talk to us for a real estimate against your repo history.

Cost calculator

Run the math on your team.

Three pre-computed scenarios across team size and model class. Pick the one closest to your shape. Numbers use public list pricing on annual prepay for both vendors, with Anthropic passthrough rates for the inference side.

Cost-optimized 10 devs · Haiku 4.5 Balanced 50 devs · Sonnet 4.6 Scale 200 devs · Sonnet 4.6

CodeRabbit Pro $480/mo 10 seats × $48 (annual prepay)

Kodus BYO $102/mo $80 seats + $22 Haiku 4.5 inference

Monthly delta − $378/mo 79% lower · ~$4.5k/yr saved

Smaller team, fast triage on Haiku. Inference is so cheap it almost vanishes against seats.

CodeRabbit Pro $2,400/mo 50 seats × $48 (annual prepay)

Kodus BYO $818/mo $400 seats + $418 Sonnet 4.6 inference

Monthly delta − $1,582/mo 66% lower · ~$19k/yr saved

Mid-sized team on Sonnet for balanced reasoning depth. This is the receipt comparison shown above.

CodeRabbit Pro $9,600/mo 200 seats × $48 (annual prepay)

Kodus BYO $3,272/mo $1,600 seats + $1,672 Sonnet 4.6 inference

Monthly delta − $6,328/mo 66% lower · ~$76k/yr saved

Larger org. Same model class, 4x the PR volume. Annual savings buys a senior eng FTE.

All scenarios assume ~30 PRs per developer per month with ~3.5k input + ~600 output tokens per PR review on Anthropic list pricing. CodeRabbit Pro at $48/dev/month annual prepay ($60/dev/month monthly). Kodus Teams at $8/dev/month annual prepay ($10/dev/month monthly). Real numbers will vary with model choice, PR size, and rule depth. Reach out for a quote based on your actual repo history.

how kody reviews

From PR opened to inline comments. Four stages, the model you brought.

Deterministic pipeline. Real components in the repo, no marketing-ware. Click any stage to read the source.

01 / 04

intake

Trigger from your Git host or the CLI.

Webhooks come in from GitHub, GitLab, Bitbucket, and Azure DevOps. Self-managed flavors work the same way: GitHub Enterprise Server, GitLab Self-Managed, Bitbucket Data Center. Or skip the Git host entirely and trigger reviews from the Kodus CLI in your dev loop or CI.

CLI · webhooks

02 / 04

context

Kody builds the picture before it writes anything.

A sandbox is provisioned for the review (local on your box, hosted on E2B, or skipped entirely if you don't want one). Kody reads the diff, walks the code structure, and pulls in your Kody Rules and linked tickets. Everything assembled, then it starts looking for problems.

sandbox · your choice code graph your rules + tickets

03 / 04

review

One reviewer by default. Four specialists when you ask for it.

In normal mode Kody runs as a single generalist reviewer that covers logic, security, and performance in one pass, plus your Kody Rules agent if you have rules configured. Switch the review to deep mode and three dedicated specialists go in parallel instead. Same model you brought, same sandbox.

Generalist

default · logic, security, and performance in one agent

KodyRules

enforces your team's custom rules and conventions

Bug / Security / Performance

deep mode · three specialists run in parallel

BYO LLM

every agent uses the provider you set in .env

findings collapse by semantic similarity · ranked critical / high / medium / low

04 / 04

output

Findings come back on the PR or in the CLI.

When the review starts on a PR, Kody posts line-anchored inline comments and sets approve or request-changes status, right next to the rest of your CI. When it starts from the CLI, the same findings stream back to your terminal as structured output you can pipe, fail builds on, or feed into another tool.

                42  function isTenantAllowed(req) {
                43    if (typeof req.query.orgId !== 'string') return false;
                43    const raw = req.query.orgId;
                44    if (typeof raw !== 'string' || !UUID.test(raw)) return false;
                45    return tenants.has(raw);
                46  }
              

The original guard accepted any string-shaped orgId and let an unrelated tenant's UUID through. Narrow with the UUID regex before the lookup, otherwise the route leaks cross-tenant rows under /api/cockpit?orgId=....

// HOW KODY REVIEWS

From PR to inline comments.

Webhook lands, sandbox spins up, AST graph builds, context loads from your tools, four specialized agents review in parallel, dedup runs, comments post back. All inside your network. Reference: libs/code-review/pipeline/.

kody.engine · live review RUNNING

$pr #1247 received · branch feat/auth-guard-tiergithub ✓context pack assembled ├─ sandbox up e2b ├─ ast graph built (12 files)kodus-graph └─ context loaded jira KOD-301 + 3 docspgvector $dispatching 4 agents in parallel ├─ BugAgent investigatingclaude-sonnet-4.6 ├─ SecurityAgent investigatingclaude-sonnet-4.6 ├─ PerformanceAgent investigatingclaude-sonnet-4.6 └─ KodyRulesAgent investigatingclaude-sonnet-4.6 ✓23 raw findings → 18 after dedup ├─ 3 critical ├─ 7 high ├─ 6 medium └─ 2 low $posting inline comments... ✓6 comments posted · status REQUEST_CHANGES completed in 47s · all inside your network

hover to pause · loops every 22s libs/code-review/pipeline/ · agents in libs/code-review/infrastructure/agents/

A · INTAKE pull request received apps/webhooks

webhook

github · gitlab · azure · bitbucket → enqueued on rabbitmq for the worker.

B · CONTEXT PACK facts assembled for review libs/code-review/pipeline/stages

sandbox

e2b vm spins up. readFile, listDir, bash, run-cmd. agents get a real shell, not a string buffer.

ast graph

kodus-graph parses changed files + their call graph. caller/callee relations emit as xml.

context loader

pgvector rag pulls kody rules, conventions, linked jira / linear / docs into the prompt.

deterministic order · sandbox is reused across reviews via lease

C · AGENTS · PARALLEL four specialists investigate infrastructure/agents

BugAgent

logic · edge cases · null safety · race conditions

SecurityAgent

authz · injection · secrets · xss · idor

PerformanceAgent

n+1 · hot loops · allocations · algorithms

KodyRulesAgent

your team rules · architecture · conventions

each agent runs its own llm loop with sandbox tools · byo provider · openai / anthropic / google / groq / cerebras / any openai-compatible

D · DEDUP + RANK noise out, signal ranked agent-review.stage.ts

semantic dedup · severity rank

findings from all four agents collapsed by similarity. coverage ledger forces every changed file to be touched. results graded critical · high · medium · low.

E · OUTPUT comments back on the pr create-file-comments.stage.ts

inline comments + pr status

line-anchored comments via the git provider's native api. status: approve or request-changes. github checks line up next to your other ci.

resource minimum recommended

CPU 2+ cores 4+ for repos >100k LOC

RAM 8 GB 16 GB with local sandbox

DISK 60 GB grows with PR volume

OS Any Docker host Linux preferred

NET Domain or fixed IP for Git webhooks

PHONE Anonymous heartbeat opt-out via env

Supported providers

14+ providers. One config shape.

Run code review with Claude Sonnet 4.6, GPT-5.1, Gemini 2.5 Pro, Llama 3.3, Kimi K2, GLM 4.6, or any OpenAI-compatible endpoint you operate. Three env vars and the agent talks to any of them. Frontier models, speed-tuned inference, open weights. Same code path on every side.

Frontier claude-opus-4-7 claude-sonnet-4-6 gpt-5.1 gemini-2.5-pro

Speed / cost claude-haiku-4-5 groq llama-3.3-70b cerebras qwen3-coder together-ai fireworks

Open weights llama-3.3 mistral-large kimi-k2 glm-4.6 deepseek-v3

Local / self-hosted vLLM Ollama TGI LiteLLM gateway + any OpenAI-compatible

OpenAI

Anthropic

Gemini Local

# Same 3 vars for every provider.
# Swap the base URL, swap the model, you are done.
API_OPENAI_FORCE_BASE_URL="https://api.openai.com/v1"
API_OPEN_AI_API_KEY="sk-..."
API_LLM_PROVIDER_MODEL=gpt-5.1

# Anthropic exposes an OpenAI-compatible endpoint.
API_OPENAI_FORCE_BASE_URL="https://api.anthropic.com/v1"
API_OPEN_AI_API_KEY="sk-ant-..."
API_LLM_PROVIDER_MODEL=claude-sonnet-4-6

# Gemini exposes an OpenAI-compatible endpoint.
API_OPENAI_FORCE_BASE_URL="https://generativelanguage.googleapis.com/v1beta/openai"
API_OPEN_AI_API_KEY="..."
API_LLM_PROVIDER_MODEL=gemini-2.5-pro

# Same 3 vars. Point at your own gateway.
# vLLM, Ollama, LiteLLM, TGI, any OpenAI-compatible server.
API_OPENAI_FORCE_BASE_URL="http://llm.internal.your-co/v1"
API_OPEN_AI_API_KEY="sk-local-anything"
API_LLM_PROVIDER_MODEL=your-local-model

One config shape. The base URL is the switch. Kody never knows which vendor is on the other end.

Audit and governance

Policy changes are git history.

Every rule change ships through the same PR flow as your application code. Every enforcement decision is logged with a rule id and a verdict. Compliance auditors get an export, not a screenshot.

versioning

Policies live in git

Rules are files in your repo. Changing a rule is a pull request, with reviewers, with diff history, with blame. Roll back a bad policy the same way you roll back any other code change.

decision log

Every enforcement is logged

Rule id, file path, line, verdict (block, warn, suggest), PR author, timestamp. Queryable through the dashboard or via API. Filter by rule, by author, by time window.

exportable

Built for auditors

CSV or JSON export of the enforcement log over any date range. Map rules to SOC 2, PCI-DSS, HIPAA controls. Show your auditor a real artifact, not a slide deck claim.

Policy review vs alternatives

Most reviewers run the same checks on every codebase.

Static analyzers (SonarQube, Codacy) catch syntactic patterns. AI reviewers (CodeRabbit, Sourcery) lean on generic best practices. Both miss the rules that are specific to your team. Here is how the five tools stack on the eight things that matter for policy-driven review.

Verdict

Only tool that reuses your IDE rule files and generates rules from past PRs.

Kodus 9 / 9

CodeRabbit 5 / 9

SonarQube 4 / 9

Codacy 3 / 9

Sourcery 3 / 9

Capability	Kodus	CR CodeRabbit	SQ SonarQube	CY Codacy	SC Sourcery
Rule authoring
Write rules in plain English	Yes	Path instructions	Java + XPath	Pattern config	Pattern + replacement
Policy lives in the repo	.kody/rules/*.md	.coderabbit.yaml	sonar-project.properties	.codacy.yml	.sourcery.yaml
Reuses IDE rule files (Cursor, Claude, Copilot)	Auto-detected	Manual pointer	No	No	No
Generates versioned rules from past PRs	Auto Rules Generation	Learnings (vector DB)	No	No	No
Scope and teams
Per-folder granularity	Yes, stacked	Path filters	Project-level	Project-level	Per-rule paths
Multi-team policies in one repo	Yes	Single ruleset	Single ruleset	Single ruleset	Single ruleset
Audit and access
Versioned audit trail	Exportable log	Dashboard log	Server log	Partial	Partial
Open source agent	AGPLv3	No	Community Edition	No	No
Free hosted option	Yes	Trial	SonarCloud (OSS)	Free for OSS	Free for OSS

Notes. CodeRabbit Learnings remembers past PR feedback in their vector DB; Kodus Automatic Rules Generation surfaces drafts you import as markdown in .kody/rules/, so the audit trail is git. IDE rule auto-detection (Cursor, Claude Code, Copilot, Windsurf) is a Kodus exclusive on this peer set. Open source column counts the review agent itself, not the company.

Where policies pay off

For teams whose rules are not in a style guide.

Regulated industries and multi-team engineering orgs cannot rely on tribal knowledge to enforce review standards. Four shapes of team where versioned policies replace inconsistent human review.

fintech · pci-dss

PCI-DSS code review patterns

Payment processing code carries explicit compliance constraints (no logging of full PAN, tokenization on entry, audit on every read). Each one is a markdown rule with a path glob and a critical severity floor.

title: "No card numbers in logs"
path: ["src/payments/**"]
severity_min: "critical"

healthcare · hipaa

HIPAA-aware patterns

PHI handling requires explicit access checks and audit logging on every read path. Generic AI review will not know that. A rule file will.

title: "PHI reads need @AuditAccess"
path: ["src/patient/**"]
severity_min: "critical"

government · zero-trust

Zero-trust enforcement

Every cross-service call has to carry an identity token. No service-to-service trust by IP, no fallthrough auth. Flag the PR if a client call drops the authenticated context.

title: "Service clients need auth"
path: ["src/services/**/client.ts"]
severity_min: "high"

multi-team saas · ownership

Ownership and boundary enforcement

Five teams in one monorepo. Each owns a service folder. Each ships rules scoped to their path. The platform team owns the shared API contract rules across the boundary.

title: "No cross-team imports"
path: ["services/team-a/**"]
severity_min: "high"

FAQ

kodus-policy-faq(1) bash

KODUS-FAQ(1) Policy as Code Review KODUS-FAQ(1)

It means your team's review rules live in files the AI reviewer reads on every pull request. Each rule is a markdown file with a YAML frontmatter for scope (path globs, severity, language) and a ## Instructions section in plain English. Architecture boundaries, security patterns, naming conventions, compliance checks all become version-controlled rules. The rules stop being tribal knowledge in senior engineers' heads. They become a real artifact, in the repo, alongside the code.

Generic AI feedback applies the same checks to every codebase. Kody Rules are specific to your team. Generic AI will suggest extracting a function. A Kody Rule will flag a PR with a critical severity finding because the domain layer imported from infrastructure, which violates your architecture rule. Both run, both add value, but only one knows your team's actual standards.

Two locations work out of the box: .kody/rules/**/*.md or rules/**/*.md. Each file is one rule. Kodus also auto-detects rule files your team already keeps for IDEs and agentic tools (.cursorrules, CLAUDE.md, .windsurfrules, .github/copilot-instructions.md, .sourcegraph/**/*.rule.md, .aider.conf.yml). If you do not want files in the repo at all, author rules in the dashboard at app.kodus.io. All three sources merge into one rule set per pull request.

YAML frontmatter plus a markdown instructions section. Required frontmatter fields: title, scope ("file" or "pull_request"), path (array of globs), severity_min (low, medium, high, critical). Optional: languages, buckets, enabled. The body after the frontmatter is a ## Instructions heading followed by free-form English describing the rule. No DSL to learn.

Yes, through the path field. A rule with path: ["services/payments/**"] only fires on diffs that touch that folder. Rules inherit Global → Repository → Directory, with directory scoping done via path globs in single rule files. Monorepos with five teams run five overlapping rule sets without conflict. Branch-level scoping is not supported today.

Yes, through Automatic Rules Generation. Kodus reads three plus months of historic review comments, clusters the patterns your team enforces by hand, and surfaces them as draft rules in the dashboard. Generated rules are not active by default. You review the drafts, edit if needed, and import the ones you want enabled. Updates run weekly after the initial generation.

Yes, twice over. Rule files live in git, so every change is a commit with author, reviewer, diff, and timestamp. Every finding generated by a rule is logged in the dashboard with the rule id, file, severity, PR author, and timestamp. The audit log is exportable as CSV or JSON for compliance reviews.

A rule emits a finding with a severity level (low, medium, high, critical). What happens with the finding depends on the Policy layer: by default Kody posts non-blocking suggestion comments. Optionally, you can turn on Request Changes so high or critical findings mark the review as changes-requested. Or Auto-approve when no findings hit the configured severity floor. Severity comes from the rule, action comes from the policy.

SonarQube custom rules require a Java plugin or XPath expressions, apply at the project level, and stop at syntactic patterns. Kody Rules are markdown files with plain-English instructions, scope by path glob, and run semantic checks (an AI reviewer reading the rule, not a regex). You can run both: SonarQube for static analysis, Kodus for the rules your team actually argues about in code review.

Yes. Discovery Rules is a curated library inside the Kodus dashboard. Filter presets by severity, language, or tag (Security, Maintainability, Style conventions, Testing, Performance). Import the ones you want with one click and edit them like any other rule. Examples shipped today include “disallow MD5 hashing” and “React components under 150 lines.” Docs at docs.kodus.io have the full reference for Kody Rules.

Ship it

Write the rule. Ship the enforcement.

Drop a markdown file under .kody/rules/ in your repo. YAML frontmatter for scope, plain-English instructions for the rule body. Kodus reads it on every PR.

See pricing See policy examples

Read the Kody Rules docs Star kodus-ai on GitHub