.pulllight.yml
Per-repo config file — checked in at the repo root, read on every PR. Overrides your team-level settings for that repo only.
How it works
Add a .pulllight.yml (or .pulllight.yaml) to your repo root. On every PR webhook PullLight fetches this file at the PR's head SHA — so config changes take effect the moment they're merged, with no dashboard trips required.
All fields are optional. Omitting a field falls back to your team-level setting from Review Focus. Specifying a field overrides the team default for that repo only.
If the file exists but contains a YAML syntax error, PullLight logs a warning and proceeds with your team defaults. It never silently skips reviews because of a bad config.
Schema reference
| Field | Type | Default | Description |
|---|---|---|---|
| disable | bool | false | Kill switch. Set true to skip all reviews for this repo. Check Run will show "Review skipped". |
| review_focus | list | team setting | Categories to enable for this repo. Valid values: security, bugs, performance, style, tests. Overrides the team-level Review Focus toggle. |
| ignore_paths | list | none | Glob patterns of files to exclude from review. Supports ** (matches across /) and * (matches within a path segment). Examples: vendor/**, **/*.generated.ts, **/migrations/*.sql, dist/**. |
| severity_floor | string | none | Drop findings below this level before queuing. Valid: low, medium, high, critical. Set medium to silence noise; set high for zero-tolerance teams. |
| custom_rules | list | none | Free-text rules injected directly into Claude's system prompt as highest-priority instructions. Each rule ≤ 200 chars. Use to encode team conventions Claude doesn't know about: e.g. "Flag any new Express route without auth middleware". |
Copy-paste examples
# Review focus: security and bugs only (no style noise in a large monorepo) review_focus: - security - bugs # Skip generated files, build output, lockfiles, and DB migrations ignore_paths: - packages/*/dist/** - **/*.generated.ts - **/migrations/*.sql - **/node_modules/** # Only queue findings at medium severity or above severity_floor: medium # Team conventions the AI should enforce custom_rules: - "Flag any new use of JSON.parse without try/catch" - "All new Express routes must call the auth middleware before handlers" - "Warn if process.env access happens outside config/env.js"
# Focus on bugs and security; skip performance and style for now review_focus: - security - bugs # Skip migrations, test fixtures, and static assets ignore_paths: - **/migrations/*.py - **/fixtures/** - static/** - frontend/build/** # Only show high and critical findings to the team severity_floor: high # Django-specific rules custom_rules: - "Flag any raw SQL using string formatting — use Django ORM or parameterized queries" - "Flag use of eval() or exec() on user-supplied data" - "Warn if CSRF protection is disabled on a view handler"
# Full review: security, bugs, and tests. Skip performance and style. review_focus: - security - bugs - tests # Skip generated protobuf stubs and vendor directory ignore_paths: - vendor/** - **/*.pb.go - **/*_gen.go # Surface everything — no severity filter # severity_floor: low # (default — omit to keep all findings) # Go-specific conventions custom_rules: - "Flag errors that are silently discarded with _ instead of handled" - "Flag context.Background() inside handlers — should use request context" - "Warn if new goroutines launch without a done/cancel channel"
Validate your config
Paste your .pulllight.yml below and click Validate to check for syntax errors and unknown fields before committing.