GitHub Integration
Veriva integrates with GitHub as a GitHub App. Once installed, it automatically analyzes every pull request and reports findings via check runs and optional inline comments.
Installation
- Go to your Veriva Dashboard
- Click Add Repositories
- You'll be redirected to GitHub to install the Veriva App
- Choose which repositories to grant access to
- Confirm and you're done — analysis starts on the next PR
Permissions required
| Permission | Access | Why |
|---|---|---|
| Repository contents | Read & Write | Read code for analysis; write is reserved for user-approved fix branches |
| Pull requests | Read & Write | Read PR metadata, post review comments |
| Check runs | Read & Write | Create and update check run results |
| Workflows | Read & Write | Reserved for explicit workflow-file fixes; never used for default-branch commits |
What happens on a pull request
When a PR is opened, updated (new commits pushed), or reopened, Veriva runs the ten-stage governance pipeline. All ten stages execute synchronously per push (90s p95 to check-run); a post-merge outcome loop runs 14 days after merge to feed the learning loop.
What the pipeline catches in deterministic stages:
- Hardcoded credentials and secrets
- SQL injection, command injection, XSS vulnerabilities
- Hallucinated packages (slopsquatting) — validated against npm, PyPI, and other registries
- AI-generated code patterns (redundant comments, repetitive error handling)
- Disallowed dependency licenses (configurable allow-list per org)
- Regex denial-of-service (ReDoS) patterns
What the AI stages catch:
- Logic errors and missing validation that pattern matching can't see
- Architectural concerns informed by the repo profile and author history
- Disputed findings demoted by Cross-check (stage 5) when models disagree
- Critical issues re-validated by Deep Audit (stage 6) on Opus
Check runs
Results appear as a GitHub check run on the PR. The check run shows:
- Finding counts by severity (critical, high, medium, low)
- Per-stage badges showing which stage produced each finding
- Merge policy decision (which deny rule, if any, blocked the merge)
- Link to the full report on the Veriva dashboard
The check run conclusion comes directly from your merge policy — see the Merge Gate stage:
| Conclusion | When |
|---|---|
| Success | No block conditions matched under your policy tier |
| Neutral | Warn tier with findings present |
| Failure | Block condition matched — severity threshold or deny rule |
Require Veriva checks
Inline PR comments (Pro and above)
On Pro plans and above, Veriva posts inline comments directly on the PR's changed files. Comments are posted on the specific lines where findings were detected, making it easy to see issues in context.
Each comment includes:
- Severity and rule ID
- Description of the issue
- Suggested fix (when available)
- Link to the full finding on the dashboard
Up to 20 inline comments are posted per PR, sorted by severity (critical first). A summary review comment is always posted with the full score breakdown.
Re-running analysis
You can re-run Veriva analysis at any time:
- Push new commits — analysis re-runs automatically on every push
- Click "Re-run" on the check run in the GitHub Checks tab
- From the CLI — run
veriva analyze --pr 123
Webhook events
The Veriva GitHub App listens to these webhook events:
| Event | Action |
|---|---|
pull_request.opened | Start analysis on new PR |
pull_request.synchronize | Re-analyze when new commits are pushed |
pull_request.reopened | Re-analyze reopened PR |
pull_request.ready_for_review | Analyze PRs after draft mode ends |
pull_request.closed | Update PR status to merged/closed |
push | Refresh repo intelligence on default-branch activity when audit cadence is due |
repository | Sync repository rename, archive, delete, visibility, and creation events |
check_run.rerequested | Re-run analysis when user clicks Re-run |
installation.created | Set up organization and repositories |
installation.deleted | Clean up organization data |
installation_repositories | Sync repository list on add/remove |
Rate limits and deduplication
Veriva handles GitHub API rate limits automatically with exponential backoff and retries. Rapid pushes to the same PR are deduplicated — only the latest commit triggers analysis.