Documentation
Merge Policies
Block merges automatically when vulnerabilities are detected.
Merge policies let you define which vulnerability severities should block a pull request from being merged. Policies are configured in codesentinel.json at the root of your repository.
Basic configuration
json
{
"mergePolicy": {
"blockOn": ["critical", "high"],
"warnOn": ["medium"],
"ignoreOn": ["low"]
}
}Policy options
Option | Values | Description |
|---|---|---|
blockOn | severity[] | Scan result is FAILED — merge is blocked |
warnOn | severity[] | Scan result is PASSED with annotations — merge is allowed |
ignoreOn | severity[] | Issues at this severity are not reported |
Branch-specific policies
Apply stricter policies to production branches and looser policies to feature branches:
json
{
"mergePolicy": {
"blockOn": ["critical"],
"branches": {
"main": { "blockOn": ["critical", "high"] },
"release/*": { "blockOn": ["critical", "high", "medium"] }
}
}
}Overriding a block
Repository admins can override a failed scan by applying the security-reviewed label to the PR. This marks the check as passing while preserving the findings in the audit log. The override is recorded in the CodeSentinel dashboard.
Overrides require admin access
Only users with Admin or Maintain role on the repository can apply the override label. This is enforced at the GitHub permission level.