Skip to main content
Code Review Risk Assessment adds a risk signal to Unblocked’s automated pull request reviews. You define the kinds of changes your team considers risky, and Unblocked scores each PR against those policies. Teams can use that score to approve routine changes faster while keeping human reviewers focused on work that needs closer judgment.

How it works

Risk assessment runs after Unblocked completes a pull request review without finding any issues. At that point, Unblocked reads the risk policy file from your repository’s default branch and checks the PR changes against each policy. It then adds a report with a risk score — lowest, low, medium, high, or highest — and an explanation for the score. Unblocked uses the policy from the default branch, not policy changes proposed in the PR. This keeps the risk score tied to the rules your team has already accepted. If the risk score is low or lowest, Unblocked approves the pull request. For higher-risk changes, Unblocked posts the report without approval so reviewers can see what needs attention.

Setup

Risk assessment is enabled per repository. To turn it on for a repository, add a policy file that describes which kinds of changes your team considers risky.
1

Create a risk policy file

Create a risk policy file in the root of your Git repository.
.unblocked/risk-policies.yaml
2

Populate the policy file

Add repository context and policies using the examples and schema below.
3

Commit the policy file

Commit and push the file to the default branch.

Sample policies

Start with a small set of policies that cover the changes your team wants to treat with extra care. Write each policy so it can be evaluated on its own, without relying on another policy or an external definition. If you need to add general guidance or background information, add it to the optional context section. 
# .unblocked/risk-policies.yaml

context: >
  This repository includes customer authentication and billing code.
  Changes to either area should be reviewed carefully.

policies:
  - policy: Authentication changes
    risk: highest
    criteria: >
      The PR changes sign-in, session management, permissions,
      or authentication tokens.

  - policy: Database changes
    risk: high
    criteria: >
      The PR changes database schema, migrations, ORM models,
      or destructive data operations.

  - policy: Dependency updates
    risk: medium
    criteria: >
      The PR updates runtime dependencies, lockfiles, build plugins,
      or generated clients.

Schema

The policy file is YAML. It can include optional repository context and one or more independent policies. Each policy names a kind of change and the risk Unblocked should assign when it matches. 
title: Unblocked Risk Policies
type: object
required:
  - policies
additionalProperties: false
properties:
  context:
    description: >
      Optional repository background for interpreting policies.
      Use this for stable domain context, key systems,
      ownership boundaries, or terminology.
    type: string
    minLength: 2
    maxLength: 4000
  policies:
    description: >
      Risk policies evaluated against a pull request.
      Each policy is evaluated independently. When multiple
      policies match, Unblocked uses the highest risk.
    type: array
    minItems: 1
    items:
      type: object
      required:
        - policy
        - risk
        - criteria
      additionalProperties: false
      properties:
        policy:
          description: >
            Short, human-readable name for this policy.
            This is shown in review output.
          type: string
          minLength: 2
          maxLength: 80
        risk:
          description: >
            Risk level assigned when this policy matches.
            When multiple policies match, Unblocked uses the
            highest risk.
          type: string
          enum:
            - lowest
            - low
            - medium
            - high
            - highest
        criteria:
          description: >
            Self-contained condition for when this policy applies.
            Describe only the PR changes that should trigger it.
          type: string
          minLength: 2
          maxLength: 2000