Skip to main content
The .mergewatch.yml file controls how MergeWatch reviews pull requests in a repository. Place it at the root of your repository’s default branch (usually main).

Configuration priority

MergeWatch resolves configuration in the following order. Each layer overrides the one before it:
1

Built-in defaults

Hardcoded in the MergeWatch Lambda. These apply when no other configuration is present.
2

Installation-level settings (DynamoDB)

Set via the dashboard. Apply to all repositories in the installation.
3

Per-repo .mergewatch.yml

Checked into the repository. Overrides both built-in defaults and installation-level settings.
A .mergewatch.yml in the repository always wins. If you set max_files: 100 in the dashboard but max_files: 20 in the YAML file, the repo uses 20.

Validation

MergeWatch validates the .mergewatch.yml file on the first webhook it receives for the repository. If the file contains errors — invalid YAML, unknown properties, or type mismatches — MergeWatch posts the validation errors as a comment on the pull request so they are immediately visible to the author.

Full annotated example

.mergewatch.yml
version: 1

# Model used for all agents. Must be a valid Bedrock model ID.
model: anthropic.claude-sonnet-4-20250514

# Agent configuration — enable, disable, or customize each agent.
agents:
  - name: security
    enabled: true
    prompt: "Flag OWASP Top 10 issues, hardcoded secrets, and unsafe deserialization."

  - name: logic
    enabled: true
    prompt: "Find logic bugs, off-by-one errors, and race conditions."

  - name: style
    enabled: true
    prompt: "Enforce project conventions. Be concise."

  - name: tests
    enabled: false
    prompt: "Suggest missing unit tests for new public functions."

# Review rules — control scope and trigger behavior.
rules:
  max_files: 50
  ignore_patterns:
    - "*.lock"
    - "vendor/**"
    - "dist/**"
  auto_review: true
  review_on_mention: true

# How findings are posted: "inline" or "summary".
comment_style: inline

Property reference

Top-level properties

PropertyTypeDefaultDescription
versionnumber1Schema version. Currently only 1 is supported.
modelstringus.anthropic.claude-sonnet-4-20250514-v1:0Bedrock model ID used for all agents. Any model available in your Bedrock account can be specified.
light_modelstringus.anthropic.claude-haiku-4-5-20251001-v1:0Lighter model used for low-complexity tasks such as summary generation.
max_tokens_per_agentnumber4096Maximum output tokens per agent invocation. Increase for large PRs; decrease to reduce cost.
comment_stylestringinlineHow findings are posted. inline posts review comments on specific lines. summary posts a single top-level comment.
min_severitystringinfoMinimum severity level to report. One of info, warning, error, critical. Findings below this threshold are suppressed.
max_findingsnumber25Maximum number of findings posted per review. Prevents noisy reviews on large PRs.
post_summary_on_cleanbooleantrueWhen true, MergeWatch posts a summary comment even when no findings are detected. Set to false to stay silent on clean PRs.
agentsAgent[]See AgentsList of agent configurations.
rulesobjectSee RulesReview scope and trigger rules.

Agents

Each entry in the agents array configures one review agent. MergeWatch ships with four built-in agents.
PropertyTypeDefaultDescription
namestringAgent identifier. Built-in agents: security, logic (also called bugs), style, summary.
enabledbooleantrueSet to false to disable the agent entirely.
promptstringBuilt-in promptCustom system prompt for the agent. Overrides the default prompt. Use this to tailor the agent to your project’s conventions.
You do not need to list all agents. Omitted agents use their built-in defaults with enabled: true. To disable a single agent, include only that agent with enabled: false.
Default agent states:
AgentDefault enabledPurpose
securitytrueOWASP Top 10, secrets detection, injection flaws, unsafe deserialization
logic / bugstrueLogic errors, off-by-one, null dereferences, race conditions
styletrueCode style, naming conventions, project-specific patterns
summarytrueHigh-level PR summary with risk rating

Rules

The rules object controls which files are reviewed and when reviews are triggered.
PropertyTypeDefaultDescription
max_filesnumber50Maximum number of changed files to review. PRs exceeding this limit are skipped with a comment explaining why.
ignore_patternsstring[]["*.lock", "package-lock.json", "yarn.lock", "pnpm-lock.yaml", "dist/**", "node_modules/**"]Glob patterns for files to exclude from review. Matched against the file path relative to the repo root.
auto_reviewbooleantrueWhen true, MergeWatch reviews every PR automatically on open and synchronize events.
review_on_mentionbooleantrueWhen true, MergeWatch runs a review when mentioned in a PR comment (e.g., @mergewatch review). Works even if auto_review is false.

Minimal configuration

If the defaults work for you, the smallest valid configuration is:
.mergewatch.yml
version: 1
This enables all four agents with their default prompts, uses Claude Sonnet via Bedrock, and reviews PRs automatically.

Common patterns

.mergewatch.yml
version: 1
agents:
  - name: style
    enabled: false
All other agents remain enabled with their defaults.
.mergewatch.yml
version: 1
model: anthropic.claude-sonnet-4-20250514
max_tokens_per_agent: 2048
max_findings: 10
min_severity: warning
Reduces output tokens, limits findings, and suppresses informational-level comments.
.mergewatch.yml
version: 1
rules:
  auto_review: false
  review_on_mention: true
MergeWatch stays silent until someone comments @mergewatch review on the PR.
.mergewatch.yml
version: 1
rules:
  ignore_patterns:
    - "*.lock"
    - "vendor/**"
    - "dist/**"
    - "generated/**"
    - "*.pb.go"
    - "*.gen.ts"
.mergewatch.yml
version: 1
agents:
  - name: security
    enabled: true
    prompt: "Focus on SQL injection and XSS. This is a Django project using raw queries in legacy modules."
  - name: style
    enabled: true
    prompt: "Enforce PEP 8. Flag any use of print() — use logging instead."

Where the file lives

The .mergewatch.yml file must be placed at the root of the repository’s default branch (the branch GitHub shows when you visit the repo — usually main or master). MergeWatch reads the file from the default branch, not from the PR’s head branch. This means configuration changes in a PR do not take effect until they are merged.
If you rename your default branch, MergeWatch automatically detects the new default on the next webhook. No action is required.