Code Governance

Enforce governance rules on every pull request — AI agent safety, HIPAA, SOX, legal compliance, and custom policies. Inline comments on exact lines, multi-model consensus, automatic verification.

Your AI agent code ships via pull requests. Aira reviews every PR against your governance rules and posts inline comments on exact violation lines — before the code reaches production.

Not just security scanning. Aira enforces your rules — AI agent safety, HIPAA compliance, legal privilege protection, financial regulations, architecture standards, or any custom policy you define.

AI agent governance — the lead use case

An AI support agent has access to customer accounts, databases, and external APIs. Without governance, a single PR can introduce prompt injection surfaces, PII leakage to LLMs, unbounded tool access, or destructive auto-execution.

AI Agent Governance policy

curl -X POST https://api.airaproof.com/api/v1/policies \
  -H "Authorization: Bearer $AIRA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "AI Agent Governance",
    "mode": "ai",
    "priority": 100,
    "ai_models": ["claude-opus-4-8"],
    "ai_prompt": "Review code implementing an AI agent. Enforce:\n\n1. No system prompt leakage — prompts must never be returned to users or logged in full\n2. No prompt injection — user input must never be concatenated into system prompts\n3. No unbounded tool access — agents must have an explicit tool allowlist, not wildcard\n4. No cross-tenant data — all queries must filter by tenant ID\n5. No PII in LLM context — mask email, phone, SSN, address before sending to LLM\n6. No destructive auto-execution — refunds, cancellations, deletes must require confirmation\n7. No third-party data sharing without consent check\n8. Idempotency on all mutations\n9. Audit trail on every tool call\n10. Token/cost tracking on LLM calls\n\nDo NOT flag: UI code, test files, config constants.",
    "conditions": [
      {"field": "action_type", "op": "eq", "value": "pr_code_scan"},
      {"field": "agent_id", "op": "contains", "value": "acme/agent-platform"}
    ],
    "decision": "deny"
  }'

What Aira catches on the exact lines:

system_prompt_leakage (Critical)

debug_prompt() returns the full system prompt including internal
refund policy and escalation thresholds. System prompts must
never be exposed to users.

unbounded_tool_access (Critical)

AVAILABLE_TOOLS = ["*"] grants the agent access to every
registered tool. Use an explicit allowlist of permitted tools.

pii_in_llm_context (Critical)

Full customer email, phone, address, and payment method are
sent to the LLM unmasked. PII must be redacted before
inclusion in LLM prompts.

destructive_auto_execution (Critical)

_process_refund() executes immediately without confirmation.
Destructive operations must require explicit user confirmation
before the agent executes them.

How it works

PR opened or pushed
       |
Fetch diff (added lines only)
       |
Run matching policies (highest priority first):
  - content_scan -> regex + NER (instant)
  - ai -> one LLM reviews the actual diff
  - consensus -> N LLMs review, majority-vote merge
       |
Verify PR description (automatic)
       |
Merge violations, deduplicate by (file, line)
Skip lines already commented from previous pushes
       |
Post PR review with inline comments
REQUEST_CHANGES if violations, COMMENT if clean
Dismiss old blocking reviews when violations are fixed

Three policy layers

Layer 1 — Org policies

Created in the dashboard or via API. Run on every matching PR.

Mode	How it works	Speed
`content_scan`	Regex patterns + Presidio NER	Instant
`ai`	One LLM reviews the actual diff against your prompt	5-15s
`consensus`	N LLMs review independently, keep majority-agreed findings	10-30s

Layer 2 — Per-PR policies

Target a specific PR, repo, or group of repos:

Scope	Condition
All PRs	`action_type eq pr_code_scan`
One repo	`agent_id contains acme/backend`
Multiple repos	`agent_id regex acme/(backend\|api)`
One PR	`agent_id contains acme/backend#42`

Layer 3 — PR description verification (automatic)

When a PR has a substantive description, Aira verifies the code delivers what the description promises. No configuration needed.

Setup

Step 1 — Install the GitHub App

Go to github.com/apps/aira-governance
Click Install and select your organization
Link the installation in the Aira dashboard under Settings > GitHub

Step 2 — Create policies

One model reviews the diff against your rules

curl -X POST https://api.airaproof.com/api/v1/policies \
  -H "Authorization: Bearer $AIRA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Engineering Standards",
    "mode": "ai",
    "priority": 90,
    "ai_models": ["claude-opus-4-8"],
    "ai_prompt": "Your rules here...",
    "conditions": [
      {"field": "action_type", "op": "eq", "value": "pr_code_scan"}
    ],
    "decision": "deny"
  }'

Two models must agree — eliminates hallucinated violations

curl -X POST https://api.airaproof.com/api/v1/policies \
  -H "Authorization: Bearer $AIRA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Security Review",
    "mode": "consensus",
    "priority": 100,
    "ai_models": ["claude-opus-4-8", "claude-sonnet-4-6"],
    "ai_prompt": "Your rules here...",
    "conditions": [
      {"field": "action_type", "op": "eq", "value": "pr_code_scan"}
    ],
    "decision": "deny"
  }'

Pattern matching — no LLM calls, instant results

curl -X POST https://api.airaproof.com/api/v1/policies \
  -H "Authorization: Bearer $AIRA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Pattern Scanner",
    "mode": "content_scan",
    "priority": 80,
    "scan_config": {
      "libraries": ["credentials", "pii"],
      "custom_patterns": [
        {
          "name": "internal_url",
          "regex": "https?://(internal|staging|dev)\\.[a-z0-9.-]+",
          "severity": "critical",
          "description": "Internal URL in production code"
        }
      ]
    },
    "conditions": [
      {"field": "action_type", "op": "eq", "value": "pr_code_scan"}
    ],
    "decision": "deny"
  }'

Step 3 — Done

Every PR on connected repos is now governed automatically.

Industry examples

Healthcare (HIPAA)

Targets repos handling patient data

curl -X POST https://api.airaproof.com/api/v1/policies \
  -H "Authorization: Bearer $AIRA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "HIPAA Compliance",
    "mode": "ai",
    "priority": 100,
    "ai_models": ["claude-opus-4-8"],
    "ai_prompt": "Review for HIPAA PHI violations:\n\n1. No PHI in logs (names, DOB, SSN, diagnoses, medications)\n2. No PHI in error messages\n3. No PHI over HTTP — must use HTTPS\n4. No plaintext PHI storage — encrypt at rest\n5. Access control on patient records\n6. Minimum necessary — only access needed PHI fields\n7. Audit trail on every PHI access\n8. Cache TTL on PHI — no indefinite caching",
    "conditions": [
      {"field": "action_type", "op": "eq", "value": "pr_code_scan"},
      {"field": "agent_id", "op": "contains", "value": "acme/patient-portal"}
    ],
    "decision": "deny"
  }'

What Aira catches:

pii_in_logs (Critical)

Patient SSN and diagnosis logged via logger.info(). PHI must
never appear in logs — log only de-identified references.

Legal (Privilege & Data Protection)

Targets repos handling contracts and case files

curl -X POST https://api.airaproof.com/api/v1/policies \
  -H "Authorization: Bearer $AIRA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Legal Data Protection",
    "mode": "ai",
    "priority": 100,
    "ai_models": ["claude-opus-4-8"],
    "ai_prompt": "Review code handling legal documents:\n\n1. No privilege leakage to logs, analytics, or third-party APIs\n2. Document classification check before sharing\n3. No unreviewed sharing with external APIs (LLMs, search)\n4. Retention compliance — no hard deletes without retention check\n5. Access logging on every document access\n6. Encryption at rest\n7. Tenant isolation — cross-client access is a violation",
    "conditions": [
      {"field": "action_type", "op": "eq", "value": "pr_code_scan"},
      {"field": "agent_id", "op": "contains", "value": "acme/legal-platform"}
    ],
    "decision": "deny"
  }'

What Aira catches:

privilege_sent_to_llm (Critical)

Document content sent to OpenAI API without checking privilege
status. Attorney-client content must never reach third parties.

Finance (SOX & PCI-DSS)

Targets repos handling payments and transactions

curl -X POST https://api.airaproof.com/api/v1/policies \
  -H "Authorization: Bearer $AIRA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Financial Compliance",
    "mode": "ai",
    "priority": 100,
    "ai_models": ["claude-opus-4-8"],
    "ai_prompt": "Review for SOX and PCI-DSS compliance:\n\n1. Decimal for money — not float\n2. Audit trail on every transaction\n3. Dual authorization on high-value operations\n4. No full card numbers or CVVs in logs or storage\n5. Separation of duties — no self-approval\n6. Reconciliation events on financial mutations\n7. Explicit currency codes on all amounts\n8. Idempotency keys on payment operations",
    "conditions": [
      {"field": "action_type", "op": "eq", "value": "pr_code_scan"},
      {"field": "agent_id", "op": "contains", "value": "acme/payments"}
    ],
    "decision": "deny"
  }'

What Aira catches:

float_for_money (Critical)

Using float for monetary amount. Floating point causes rounding
errors. Use Decimal for financial calculations.

Per-PR acceptance criteria

When a ticket has a Definition of Done, create a temporary policy that targets just that PR:

Verify ticket requirements on PR #42

curl -X POST https://api.airaproof.com/api/v1/policies \
  -H "Authorization: Bearer $AIRA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "PLAT-847 DOD",
    "mode": "ai",
    "priority": 95,
    "ai_models": ["claude-opus-4-8"],
    "conditions": [
      {"field": "action_type", "op": "eq", "value": "pr_code_scan"},
      {"field": "agent_id", "op": "contains", "value": "acme/backend#42"}
    ],
    "ai_prompt": "Verify these requirements are implemented:\n\n1. Session creation with configurable TTL\n2. Session refresh extends TTL\n3. Revoke session and revoke-all\n4. Encryption at rest\n5. Rate limiting (max 10/hour)\n6. Audit log on create and revoke",
    "decision": "deny"
  }'

Delete the policy when the PR is merged.

Full lifecycle

1. PR opened — Aira posts REQUEST_CHANGES with inline comments on each violation.

2. Developer pushes fixes — Aira re-scans. Only new violations get comments (deduplication).

3. All violations resolved — Aira posts COMMENT: "No violations." Old blocking reviews are dismissed. PR is unblocked.

What gets scanned

Only added lines in the PR diff. Removing code does not trigger violations. Binary files and deleted files are skipped.

Policy stacking

Multiple policies run in priority order. Their violations are merged and deduplicated by (file, line).

Priority	Mode	Policy	Example
100	`ai`	AI Agent Governance	Prompt safety, PII in LLM context, tool access
90	`consensus`	Security Review	Hardcoded secrets, SQL injection, XSS
80	`ai`	Writing Standards	Vague errors, dead code
70	`content_scan`	Pattern Scanner	Regex: credentials, PII, internal URLs
—	auto	PR Description	Gaps between description and code

Blocking merges

Add Aira Governance as a required status check:

Settings > Branches > Branch protection rules
Enable Require status checks to pass before merging
Add Aira Governance

Merge blocking uses REQUEST_CHANGES review — automatically dismissed on a clean re-scan.

Policies — rules, AI, consensus, and content_scan modes
Content scan policies — PII, credentials, prompt injection patterns
Supported models — all models available for AI and consensus policies

Code Governance

On this page