Configuration
Veriva works with zero configuration — install the GitHub App and the full ten-stage pipeline runs against every PR with sensible defaults. For repo-level overrides, add a .veriva.yml file at the repo root. For policy-grade extensions, see Hooks.
Two configuration surfaces
.veriva.yml is for analysis tuning — what to skip, which rule IDs to downgrade, where to look. In-repo hooks at .veriva/rules/*.yml are for governance — deny rules, custom checks, webhooks. Use the right one for the right job.Creating a config file
Use the CLI to generate a starter config:
veriva config initThis creates a .veriva.yml in your project root with all available options commented out.
Full reference
version: 1
analysis:
# Skip the AI Review stage (stage 4) — runs deterministic stages only.
# Useful for faster CI runs or for repos where you want signal from
# static rules only.
skip_ai_review: false
# Skip the Deep Audit stage (stage 6) even when triggered.
# Cuts cost on repos where deep-audit passes are overkill.
skip_deep_audit: false
# File paths to exclude from analysis (glob patterns).
ignore_paths:
- "*.test.ts"
- "*.spec.ts"
- "**/__tests__/**"
- "vendor/**"
- "dist/**"
- "*.generated.ts"
# Override severity for specific rules.
# Useful for suppressing rules that don't apply to your project.
severity_overrides: {}
# Example:
# severity_overrides:
# AI-001: LOW # Downgrade "suspicious identifier" to LOW
# SEC-009: INFO # Downgrade specific security rule
# Override the default model routing for this repo.
# See /docs/models for valid slot names and model IDs.
model_routing: {}
# Example:
# model_routing:
# layer2.standard: us.anthropic.claude-haiku-4-5-20251001
# deepAudit: us.anthropic.claude-opus-4-7
merge_gate:
# Override the org-level merge policy for this repo.
# One of: ADVISORY, WARN, STANDARD, STRICT, LOCKED.
# See /docs/merge-policy for what each tier means.
mode: STANDARDOptions
analysis.skip_ai_review
| Type | boolean |
| Default | false |
When true, skips stages 4 (AI Review), 5 (Cross-check), and 6 (Deep Audit). The pipeline runs Sanitize, Pre-ingest, Enrich, Static, Auto-fix, Merge Gate, Explain only — fast and cheap, but misses anything pattern matching can't catch.
analysis.skip_deep_audit
| Type | boolean |
| Default | false |
When true, never runs Deep Audit even when triggered by CRITICAL findings or Cross-check disputes. Cuts deep-audit cost; the trade is more false positives slip through to the merge gate.
analysis.ignore_paths
| Type | string[] (glob patterns) |
| Default | [] |
File paths matching these patterns are excluded from analysis. Uses standard glob syntax. Common patterns to exclude:
*.test.ts,*.spec.ts— test files**/__tests__/**— test directoriesvendor/**,dist/**— vendored and build output*.generated.ts— auto-generated codemigrations/**— database migrations
analysis.severity_overrides
| Type | Record<string, Severity> |
| Default | {} |
Override the severity of specific rules. The key is the rule ID and the value is the new severity level. Valid severities:
CRITICAL— Must fix before merging (blocks under STANDARD+)HIGH— Should fix before merging (blocks under STANDARD+)MEDIUM— Should fix soon (blocks under STRICT+)LOW— Nice to fixINFO— Informational only
List all rules
veriva rules to see all available rule IDs and their default severities.analysis.model_routing
| Type | Record<string, string> |
| Default | org default |
Override the model used for any pipeline slot. Available on Scale and Enterprise. Slot names and the default routing live in Models.
merge_gate.mode
| Type | "ADVISORY" | "WARN" | "STANDARD" | "STRICT" | "LOCKED" |
| Default | org default |
Override the org-level merge policy tier for this repo. The tier decides what gets blocked. See Merge Policy for the full semantics of each tier and how deny rules layer on top.
Precedence
Configuration is applied in this order (later overrides earlier):
- Veriva defaults
- Org-level settings in the dashboard
.veriva.ymlin the repository root- Per-repo overrides in the dashboard
Some org rules can't be overridden
.veriva.yml says.