← Back to Docs

Standards & Rules

Define your organization's engineering baseline. Specmark enforces standards continuously and alerts you when repos drift out of compliance.

Default Rules

Every Specmark installation starts with a set of default rules that reflect industry best practices. These rules run automatically with no configuration required:

RuleWhat it checksDefault severity
Branch protectionDefault branch requires PR reviews, no force pushCritical
CODEOWNERSCODEOWNERS file exists at repo root or .github/High
CI workflowAt least one GitHub Actions workflow is configuredHigh
Secret scanningGitHub secret scanning is enabled on the repoCritical
DependabotDependabot alerts or security updates are enabledHigh
READMEREADME.md exists with meaningful contentMedium
LicenseA LICENSE or LICENSE.md file existsMedium

Configuring Rules

Organization admins can customize which rules are enforced and at what severity level from the Admin → Rules page in the Specmark dashboard.

From the Rules page, you can:

  • Enable or disable individual rules
  • Change the severity level (critical, high, or medium)
  • Exclude specific repositories from a rule
  • Set grace periods for newly created repositories

Changes take effect immediately. All repositories are re-evaluated against the updated rule set within 60 seconds.

Severity Levels

Each rule has a severity that determines how it appears in the dashboard and whether it blocks actions:

  • Critical — Represents an active security risk or a policy that must never be violated. Critical violations appear at the top of the dashboard and trigger immediate Slack notifications (if configured).
  • High — Important engineering standards that should be addressed within a sprint. High violations are prominently displayed and included in weekly digest emails.
  • Medium — Best practices and hygiene checks. Medium violations are tracked but do not generate alerts by default.

Auto-Fix Capability

Many rules support automatic remediation. When a violation is detected, Specmark can offer a one-click fix that either:

  • Applies a settings change directly via the GitHub API (e.g., enabling branch protection or secret scanning)
  • Opens a pull request with the necessary file additions (e.g., adding a CODEOWNERS file or dependabot.yml)

Auto-fix actions require the appropriate write permissions granted during GitHub App installation. Admins can disable auto-fix on a per-rule basis from the Rules page.

Future: Rules as Code

We are building support for a .specmark.yml file that can be committed to a repository to define rules as code. This will allow teams to:

  • Version-control their engineering standards alongside their code
  • Define custom checks beyond the built-in rule set
  • Override org-level rules for specific repositories
  • Use PR review workflows to approve rule changes

The rules-as-code feature is currently in development. If you would like early access, email [email protected].

Need help?

Open an issue on GitHub or email [email protected].

Standards & Rules — Specmark Docs