How does Qodex decide to review a PR?
Qodex reviews a PR only after it decides the GitHub event is actionable and the repository is linked to a Qodex project. Then it reads repo config, reviews the diff, filters findings, optionally verifies them, and posts the result back to GitHub.Review decision flow
- GitHub sends a
pull_requestevent to Qodex. - Qodex verifies the webhook signature.
- Qodex checks whether the action should trigger review.
- Qodex finds projects linked to the repository.
- Draft PRs are skipped until ready for review.
- Qodex reads
.qodex.yamlfrom the PR head SHA. - Qodex reviews the diff and creates candidate findings.
- Findings are filtered by confidence, severity threshold, and excluded paths.
- Findings inside the diff become inline comments.
- Findings outside the diff appear in the walkthrough.
- Verification probes may run against an allowed preview host.
- Qodex posts the walkthrough, inline comments, and Check Run conclusion.
Events that trigger review
Qodex reviews:openedsynchronizereopened@qodex reviewslash commands
Settings that matter most
| Setting | What it controls |
|---|---|
pr_review.enabled | Whether Qodex reviews the repo. |
pr_review.severity_threshold | Which findings appear. |
pr_review.paths.exclude | Which changed files are ignored. |
pr_review.block_pr_merge | Whether the Check Run can fail. |
pr_review.block_on_severity | Which verified severity blocks. |
probes.preview_host_allowlist | Which preview hosts Qodex may probe. |
Check Run behavior
By default, Qodex is advisory. If merge blocking is enabled and branch protection requires the Qodex Check Run, verified findings at or above the configured severity can block a merge.Next steps
How a review fires
See the full PR review lifecycle.
Inline findings
Learn how comments are placed.
Check Run and merge gating
Configure merge protection.
.qodex.yaml reference
Control review behavior per repo.