CODEOWNERS Coverage Card

Find the paths no rule owns before a branch-protection or compliance review, all in your browser

Coverage runs entirely in your browser. The CODEOWNERS file, owner handles, and paths are not uploaded, logged, or stored. This flags paths that no rule owns before a branch-protection or compliance review; it is a review aid, not a guarantee that a path reported as covered is owned by the right team.

Paste your CODEOWNERS file and file list above, then select Check coverage to see which paths no rule owns, with critical auth, payment, secrets, and infra paths flagged first.

About the CODEOWNERS coverage card

The CODEOWNERS coverage card turns a pasted CODEOWNERS file and a list of repository paths into a short report of which paths no rule owns. It applies CODEOWNERS last-match-wins ownership: for each path it finds the last rule whose pattern matches and reads the owner from that rule. A path that no rule matches, or that is matched only by a rule with no owner, is reported as uncovered. Uncovered paths that look like auth, payment, secrets, infrastructure, or security code are flagged as critical and listed first, so a reviewer can see the riskiest gaps before turning on branch protection or starting a compliance review.

Paste your CODEOWNERS file and a file list (one path per line, for example the output of git ls-files), then select Check coverage. A sample CODEOWNERS file and file tree are loaded so you can see uncovered auth and payment paths right away. Everything runs in your browser. The CODEOWNERS contents, owner handles, and repository paths are never uploaded or stored. Download a coverage CSV for the full report or copy a markdown review card to paste into a pull request or an audit ticket.

How to use

  1. Paste your CODEOWNERS file into the first box. A sample file is loaded so you can see how it works.
  2. Paste your repository file list into the second box, one path per line. The output of git ls-files works well.
  3. Select Check coverage to match every path against the CODEOWNERS rules using last-match-wins ownership.
  4. Read the summary and the uncovered-paths table. Critical auth, payment, secrets, and infra paths are listed first.
  5. Select Download coverage CSV for the full report, or Copy review card to paste a markdown summary into a pull request or audit ticket.

Worked examples

A payments path with no rule is flagged critical uncovered

When CODEOWNERS only owns /apps/web/ but the repo has apps/api/src/payments, that payment path matches no rule, so it is reported uncovered and flagged critical.

A file matched only by an unowned rule is uncovered

A rule such as /legacy/ with a pattern but no owner leaves files under legacy uncovered even though a rule matches them, because no owner is assigned.

A more specific later rule wins

When both /apps/ and /apps/web/ have owners, a path under apps/web is owned by the later, more specific rule, matching CODEOWNERS last-match-wins behavior.

Frequently asked questions

What does the CODEOWNERS coverage card check for?
It checks whether each path in your file list is owned by a CODEOWNERS rule. It parses the CODEOWNERS file into ordered rules, matches each path with a simplified gitignore-style matcher, and applies last-match-wins ownership. A path is reported uncovered when no rule matches it or when the only matching rule assigns no owner. Uncovered paths that look like auth, payment, secrets, infrastructure or CI, or security code are flagged as critical so the riskiest gaps are easy to spot.
How does it decide a path is critical?
It uses a keyword dictionary over the path. Paths containing tokens such as auth, login, session, or oauth are tagged auth; payment, billing, checkout, invoice, or stripe are tagged payment; secret, credential, or vault are tagged secrets; terraform, kubernetes, dockerfile, deploy, or workflows are tagged infra and CI; and security, crypto, or encrypt are tagged security. The keywords are matched at path-segment boundaries, so author does not trip the auth keyword. It is a heuristic, not a security classifier, so review the full list as well.
Does it understand every CODEOWNERS pattern?
First ship uses a simplified gitignore-style matcher: it supports rooted and floating patterns, directory patterns, single-segment wildcards, the double-star across directories, and the single-character wildcard, and it treats owning a directory as owning its contents. It does not yet handle negation, character classes, or escaped wildcards, and it does not connect to GitHub to read your real file tree. It is a review aid that surfaces likely gaps; pair it with a human review of the CODEOWNERS file.
Is my CODEOWNERS file or path list uploaded anywhere?
No. Parsing, matching, classification, and export all run in your browser. The CODEOWNERS contents, owner handles, and repository paths are never sent to a server or saved. Analytics records only coarse count bands, never the file contents, owners, or paths. Download the coverage CSV or copy the review card before you close the tab.
Can I keep a record of the review?
Yes. Download coverage CSV gives you a spreadsheet-ready file with one row per path, and any cell that could be read as a spreadsheet formula is escaped so the export is safe to open. Copy review card gives you a markdown summary, with critical uncovered paths first, that you can paste into a pull request, an audit ticket, or a branch-protection checklist.

Use this again tomorrow

Save this page so it's one tap away when you need a quick result.

Bookmark this tool

Ready for a quick Daily Challenge?

Play Daily Challenge on sts.games

Related tools

Try another quick utility while you are here.

Kubernetes RBAC Verb Matrix

Spot risky verbs in Role and ClusterRole YAML.

SQL Migration Risk Card

Flag destructive changes before you merge or deploy.

CSV Formula Injection Guard

Flag risky CSV cells and download a sanitized copy.