FAQ
Everything you need to know.
Can't find what you need? Ask the team.
Getting started
How do I sign up?
Veriva is approved-repo onboarding right now — not self-serve. Request access at /contact with your GitHub handle and the repo you want covered. We aim to onboard approved repos within 48 hours on weekdays — onboarding is founder-handled right now, so urgent cases get priority. The Hobby tier is always free; paid tiers activate when you connect billing.
Can I try Veriva before installing the GitHub App?
Yes. The CLI runs the pipeline locally on a diff — npm install -g @veriva/cli, then veriva scan against any repo you have on disk. No account needed for the local-only scan; results stay on your machine.
Is there an early-customer discount?
Yes — EARLYAGENT gets the first 25 paying customers 50% off Team or Scale for twelve months. The code auto-applies on the pricing page during the early window. No expiry on the discount itself; the seat count is the cap.
How long does onboarding take?
Most approved repos are scanning their next PR within an hour of installation. Initial repo indexing (call-graph walk, embeddings, baseline trust history) runs in the background; the first 1-2 PRs may grade more conservatively until the baseline lands. We email when the baseline completes.
About Veriva
How is Veriva different from existing PR reviewers?
Most reviewers post comments. Veriva produces an A–F grade per PR with per-line, per-agent attribution. We walk your call graph and trace every finding back to an entry point before it counts. Hard policy gates override AI confidence. The artifact is something your engineering leader can put in a roadmap review.
Who is Veriva for?
Engineering teams shipping AI-generated code at a meaningful clip — typically multi-repo orgs where Claude Code, Cursor, Copilot, Windsurf, or Devin write a real share of the codebase. We work for solo OSS maintainers too (Hobby is free), but the product earns its keep on teams that need an independent verification layer.
Why "verification" instead of "review"?
Reviewers shipped inside code generators have a built-in conflict: they grade what their own model produced. Veriva is a separate product with a separate role — verify, not generate. A graded artifact + provenance trail per finding is something you can defend; a stream of comments isn't.
How is Veriva different from CodeRabbit?
CodeRabbit posts review comments inline — useful, but it's still review-shaped output that lives in the PR thread. Veriva's output is a graded artifact: per-PR A–F score, per-line per-agent attribution, calibrated against post-merge outcomes, with a hard merge gate that honors your policy.yml over the AI's confidence. Different category — Veriva is the artifact your engineering leader cites, not just the comments your reviewer reads.
How is Veriva different from Snyk, Sonar, or Codacy?
Those are static-analysis platforms — pattern-matchers with rule libraries. Veriva runs static analysis too, but the differentiator is everything stacked on top: multi-model AI review, per-line agent attribution, reachability validation from public entry points, and a trust score that learns from your reverts over a 14-day window. Static analysis tells you a pattern exists; Veriva tells you whether the pattern is actually exploitable in your codebase, by whom, and whether to merge.
How it works
What does the pipeline actually do per PR?
A 10-stage governance pipeline runs on every PR. Stages cover input sanitization, static analysis, multi-model AI review, cross-checking, deep audit on critical findings, policy enforcement, and post-merge outcome tracking. Specific stage names stay internal so we can evolve them without breaking customer-facing claims.
How does Veriva know which agent wrote which line?
Several signals — Co-Authored-By commit trailers, PR-body markers, known bot-account authorship, plus an optional webhook header for explicit attribution. When more than one signal fires, the most specific one wins. Falls back to human when nothing matches. Every agent carries its own trust-score history.
What if two agents touched the same file?
The attribution is per-line, not per-file. If Claude Code wrote lines 42-67 and Cursor wrote lines 70-89, every finding inside each range carries that agent. The PR-level grade weights each agent's contribution and updates their independent trust histories — a clean PR raises both, a finding pulls only the responsible agent down.
How does reachability validation work?
We walk your call graph from public entry points (HTTP routes, queue handlers, cron jobs) to each cited line. If no path exists, the finding drops to Discovery (visible, not blocking). If one does, a verifier confirms whether the path is actually exploitable. Theoretical-only findings get suppressed before they reach the PR comment thread.
How is the A–F grade calculated?
A combination of finding severity, reachability evidence, per-rule false-positive history, and the contributing agents' trust scores — calibrated against your post-merge outcomes (reverts, incident-linked commits). The grade is schema-versioned so we can improve calibration without invalidating old grades.
What does post-merge outcome tracking do?
For 14 days after merge, Veriva watches for reverts and incident patterns. Reverts pull the authoring agent's trust score down; clean merges raise it. This loop is what makes the grade learn rather than just being a one-shot LLM verdict.
Privacy + security
Where does my code go?
Your code is analyzed in AWS us-east-1, with automatic failover to us-west-2 for availability. Every query runs under PostgreSQL Row-Level Security scoped to your org. No training, no model fine-tuning. SOC 2 readiness is underway — email aria@veriva.dev for the current timeline. Per-tenant region selection is on the Enterprise roadmap.
Is there a DPA available?
Yes. Available on request for Team and above; signed standard DPA for Enterprise. Email aria@veriva.dev — we usually turn around within two business days.
How long do you retain my data?
Per-PR JSONL audit trails are append-only and retained per your plan: 7 days on Hobby, 30 on Team, 90 on Scale, custom on Enterprise. LLM payload retention is 90 days across all paid plans (Hobby has no payload retention).
Can you train models on my code?
No. We do not train, fine-tune, or otherwise use customer code for model improvement. The contracts with our model providers prohibit it on our end, and our pipeline never writes customer code to a training-eligible store.
Configuration
Can I use my own rules and policies?
Yes. Declarative rules in .veriva/rules/*.yml (versioned with your code). Path deny rules. Agent deny rules. Custom Shell hooks (sandboxed) and signed Webhook hooks plug your own checks into our pipeline. Label overrides (veriva:skip / veriva:review) handle the edge cases.
What languages do you support?
Call-graph walker today: TypeScript · JavaScript · TSX · JSX · Python. Static analysis runs across that set plus Go, Ruby, and Java via Tree-sitter. AI stages are language-agnostic — anything in your repo gets reviewed; only the graph features are gated to the supported set.
Can I pause Veriva on a specific PR or repo?
Yes. Apply the veriva:skip label on a PR to short-circuit it — the merge gate posts neutral. Repos can be paused org-wide from the dashboard. veriva:review forces a fresh full review on the next head SHA.
What about false positives?
Every HIGH-severity AI finding is independently re-classified by a second pass; disagreements get demoted and routed to a deep-audit pass. Merge outcomes feed back into per-rule false-positive rates over a 14-day window. Rules that keep crying wolf get flagged for review.
Pricing + billing
How is pricing structured?
Reviewed-KB on a flat monthly base. Hobby is free (unlimited public repos · 3 private · 250 KB/mo on private, full 10-stage pipeline). Team is $99/mo + 2,000 KB. Scale is $499/mo + 20,000 KB. Enterprise is custom. KB overage on Team and Scale is $0.05/KB and applies automatically — no service interruption, alerts at 80% and 100% of your monthly allowance.
Do you charge extra for model usage?
No. Multi-model routing (light · standard · deep-audit) is included. KB reviewed is the only usage metric.
Can I switch plans?
Yes — both directions, any time. Downgrades take effect at the end of the current cycle. Upgrades prorate. Annual plans get two months free; talk to us for that.
Refunds?
If Veriva doesn't work for you in the first 30 days of a paid plan, email aria@veriva.dev and we'll refund the prorated balance — no questions.
Integrations
Does Veriva integrate with Slack?
Yes. OAuth v2 install + bot-token messaging. Findings post to your org's default channel. Encrypted tokens at rest (AES-256-GCM). Available on Team and above.
Linear / Jira?
Both. Veriva extracts LIN-NNN or PROJ-NNN ticket keys from your PR title, body, or branch name, fetches the ticket via the integration's API, and feeds the ticket as markdown into the AI review prompt — so reviewers understand WHY the PR exists. Linear and Jira are context fetchers; outbound ticket creation is not built.
How does the GitHub Action work?
Veriva-AI/analyze-action@v1 on the Marketplace. Drop into any workflow with one block; configure with deny paths + mode (advisory / strict). The Action mirrors the GitHub App's pipeline output — same grade, same findings, same provenance.
Does it work with GitHub Enterprise?
GitHub.com and GitHub Enterprise Cloud today. GitHub Enterprise Server (self-hosted) is on the Enterprise roadmap — talk to us if it's a hard requirement.
Operations
What happens if Veriva is down when my PR opens?
Fail open. The GitHub check-run posts as neutral with a "service unavailable" message, your merge button stays unblocked, and the PR is requeued automatically once service recovers. Every pipeline run is idempotent — retries never double-post.
How fast is a typical analysis?
Median under 30 seconds; p95 budget is 90 seconds. Veriva runs as a parallel GitHub check, never in your critical CI path.
Where can I check status?
/status for the live operational dashboard — per-subsystem health, 90-day uptime, and per-incident postmortems.