Skip to main content

Getting Started

Stronghold Governor is a GitHub Bot that automates engineering standards enforcement across your organization. It validates pull requests, configures new repositories according to organization policies, monitors Dependabot security alerts, and notifies maintainers of critical events—all without manual intervention.

Governor automatically validates pull requests against configurable engineering standards:

  • Title Validation - Enforces pull request title format requirements (conventional commits or custom patterns)
  • Commit Count Validation - Ensures pull requests don't exceed maximum commit limits
  • Commit Message Validation - Validates commit messages follow conventional commits or custom patterns
  • Commit Type Limits - Enforces limits on specific commit types (e.g., max number of feature commits)
  • Identical Message Detection - Prevents pull requests with duplicate commit messages
  • Commit Source Validation - Validates commit author email domains and sources
  • Lock File Validation - Ensures package manager lock files exist when dependency files are present (supports Go, Rust, JavaScript, Ruby, PHP, and Swift)
  • Forbidden Content Validation - Blocks pull requests that introduce files matching configurable regex patterns (e.g., private keys, certificates, node_modules)

When validation passes, Governor leaves a comment on the pull request and provides peer review guidance. When validation fails, Governor closes the pull request with detailed feedback.

Governor automatically configures new repositories according to organization policies:

  • Privacy Settings - Enforces private repository settings
  • Merge Strategy - Disables merge commits to maintain clean commit history
  • Branch Management - Enables automatic deletion of head branches on merge
  • Forking Control - Disables repository forking
  • Repository Rulesets - Automatically applies GitHub repository rulesets
  • Repository Naming - Validates repository names against organization naming conventions
  • Dependabot Configuration - Enables and configures Dependabot alerts and security updates

Governor monitors Dependabot security alerts and notifies maintainers when vulnerabilities are detected:

  • Severity-Based Notifications - Filters alerts by configurable severity levels (critical, high, medium, low)
  • Maintainer Notifications - Sends email alerts to organization and repository maintainers
  • Alert Tracking - Monitors new, reopened, and reintroduced vulnerabilities

Governor sends email notifications via AWS SES to organization maintainers for:

  • Repository Creation - Notifies when new repositories are created
  • Security Alerts - Dependabot vulnerability notifications
  • Configuration Errors - Alerts maintainers when Governor encounters issues

While Governor can look after multiple GitGHub organisations, unfortunately, GitHub has some limitations that prevents a simple deployment. The workaround is to deploy a separate bot instance for each organisation.

To deploy Governor, follow the steps below:

  1. Configure Governor
  2. Create a GitHub App
  3. Setup Your AWS Environment
  4. Deploy Governor