PR Evidence Pack Generator
Prove your AI code review before merge.
AI coding agents generate PRs fast. But teams need evidence — not just claims — that changes were reviewed, tests were run, and risk was assessed. The PR Evidence Pack Generator produces structured, shareable evidence reports from any diff.
Risk Analysis
Automatic risk scoring (0–100) and flagging: dependency changes, config changes, secrets in diffs, auth/payment paths, source-without-tests, and infrastructure changes. Now configurable per team.
GitHub PR Comment
Generate ready-to-paste GitHub PR comments with emoji risk indicators, collapsible metadata, and review checklists. Just --format github-comment.
Configurable Severity NEW v1.2
Custom risk thresholds, flag weights, file patterns, sensitive paths, and secret detection via JSON config. --severity-config team.json
Reviewer Checklist & Sign-Off
Tailored reviewer checklists based on detected risk flags. Author, reviewer, and security reviewer sign-off requirements based on risk level.
Test Coverage
Parses pytest, jest, go test, and generic test output. Shows pass/fail counts and test commands directly in your evidence report.
Quick start
python3 src/pr_evidence_pack.py --diff my-pr.diff
# GitHub PR comment — paste directly into GitHub
python3 src/pr_evidence_pack.py \\
--diff my-pr.diff \\
--test-output pytest-output.txt \\
--metadata pr-meta.json \\
--format github-comment \\
--output pr-comment.md
# Full report with test output + metadata → HTML
python3 src/pr_evidence_pack.py \\
--diff my-pr.diff \\
--test-output pytest-output.txt \\
--metadata pr-meta.json \\
--format html \\
--output evidence.html
# Use in CI: exit 1 on high risk → block merge
python3 src/pr_evidence_pack.py --diff pr-changes.diff
echo $?
# Custom severity config for your team
python3 src/pr_evidence_pack.py \\
--diff my-pr.diff \\
--severity-config team-config.json \\
--format markdown
What's in the report
Sample Evidence Pack Output
| Section | Content |
|---|---|
| Metadata | PR title, URL, author, reviewer, branch, timestamp |
| Risk Summary | Score 0–100, level HIGH / MEDIUM / low, verdict |
| Risk Flags | DEPENDENCY_CHANGE, SENSITIVE_AREA_CHANGE, POSSIBLE_SECRET_LITERAL, etc. |
| Changed Files | Per-file: path, +lines, -lines, risk flags |
| Test Coverage | Tests run, passed, failed, commands |
| Reviewer Checklist | Tailored checklist based on risk flags |
| Sign-Off | Author / Reviewer / Security Reviewer requirements |
What's included
- CLI tool — run from terminal, CI, or pre-commit hook
- 4 output formats — Markdown, HTML, JSON, GitHub PR comment
- CI exit codes — exit 1 on high risk (block merge)
- Python API — import and use in your own tools
- GitHub PR comments — emoji risk indicators, collapsible metadata, review checklists
- Test output parser — pytest, jest, go test, generic
- Risk analysis — 7 risk flag categories, scoring, recommendations
- Reviewer checklists — tailored to risk level
- Sign-off tracking — role-based requirements
- Configurable severity — custom thresholds, weights, file patterns, sensitive paths via JSON config
- Sample files — diff, test output, metadata JSON, severity config, GitHub comment output
- 58 unit tests — tested and verified
- Works standalone — no external dependencies (Python stdlib only)
- Integrates with Audit Kit — enhanced risk analysis when both installed
Who is this for?
- Tech leads reviewing AI-generated PRs who need evidence of review
- Agencies shipping client work with AI tools who need sign-off records
- Solo developers using Cursor, Claude Code, or Codex who want structured self-review
- CI/CD pipeline builders who want risk gates for AI-generated changes
Evidence-backed — no fake claims
58 passing unit tests. py_compile validated. Sample fixtures that produce real output. This is a working CLI tool, not a prompt pack or PDF.
Ran 58 tests in 0.019s — OK py_compile: OK ZIP SHA256: verified
Honest limitations
- Does not enforce sign-off — it generates reports and checklists for your team to use
- Diff analysis is pattern-based, not a full AST parser
- No network calls — fully local and offline
- No fake testimonials or inflated metrics
Also available
Pair with the AI Agent Change Risk Audit Kit for enhanced risk analysis, or the CI Gate Templates Pack for drop-in CI/CD risk gates.