Agent-Skills.md

Agent Skills: CodeRabbit Enterprise RBAC

|

UncategorizedID: jeremylongshore/claude-code-plugins-plus-skills/coderabbit-enterprise-rbac

Repository

jeremylongshore/claude-code-plugins-plus-skills
jeremylongshoreLicense: NOASSERTION
1,723221

Install this agent skill to your local

pnpm dlx add-skill https://github.com/jeremylongshore/claude-code-plugins-plus-skills/tree/HEAD/plugins/saas-packs/coderabbit-pack/skills/coderabbit-enterprise-rbac

Skill Files

Browse the full folder contents for coderabbit-enterprise-rbac.

Download Skill

Loading file tree…

plugins/saas-packs/coderabbit-pack/skills/coderabbit-enterprise-rbac/SKILL.md

Skill Metadata

Name
coderabbit-enterprise-rbac
Description
|

CodeRabbit Enterprise RBAC

Overview

Manage CodeRabbit AI code review access across an enterprise organization. CodeRabbit inherits repository permissions from your Git provider -- if a developer has write access to a repo and opens a PR, CodeRabbit reviews it. Enterprise controls focus on seat management, repository scoping, organization-level configuration, and review policy enforcement.

Prerequisites

  • CodeRabbit Pro or Enterprise plan
  • GitHub Organization admin or GitLab Group owner role
  • CodeRabbit GitHub App installed on the organization
  • Access to CodeRabbit dashboard at app.coderabbit.ai

Access Control Model

GitHub/GitLab Org Permissions
         │
         ▼
┌─────────────────────────┐
│ CodeRabbit GitHub App   │
│ Repository Access:      │
│  ├── All repositories   │ ← Reviews every PR in the org
│  └── Select repos only  │ ← Reviews only selected repos
└─────────┬───────────────┘
          │
          ▼
┌─────────────────────────┐
│ Seat Assignment         │
│  ├── Active committers  │ ← Auto-assigns seats to PR authors
│  └── Manual assignment  │ ← Admin picks who gets seats
└─────────┬───────────────┘
          │
          ▼
┌─────────────────────────┐
│ .coderabbit.yaml        │
│  ├── Org-level defaults │ ← .github repo
│  └── Repo-level overrides│ ← Per-repo customization
└─────────────────────────┘

Instructions

Step 1: Control Repository Access

# In GitHub > Organization > Settings > Installed Apps > CodeRabbit:

Option A: "All repositories" (org-wide)
- Every repo gets AI reviews automatically
- New repos are covered immediately
- Higher seat count (every PR author = seat)

Option B: "Only select repositories" (targeted)
- Choose which repos get AI reviews
- Lower seat count
- New repos must be manually added

# Recommended: Start with Option B (select repos)
# Add repos in tiers based on risk/value

Step 2: Configure Seat Management

# In CodeRabbit Dashboard > Organization > Subscription:

1. Seat Policy Options:
   - "Active committers" → Auto-assign to anyone who opens a PR
   - "Manual assignment" → Admin explicitly assigns seats

2. Exclude Bot Accounts:
   - dependabot[bot]
   - renovate[bot]
   - github-actions[bot]
   - Any CI service accounts

3. Monitor Seat Usage:
   - Active seats: developers who opened PRs in last 30 days
   - Idle seats: no PR activity in 30+ days → candidates for removal

# Billing: ~$15/seat/month (Pro), custom (Enterprise)
# Only PR authors consume seats, not reviewers or commenters

Step 3: Set Organization-Level Defaults

# .github/.coderabbit.yaml (in the .github repo)
# Applied to ALL repos unless overridden by repo-level config

language: "en-US"
reviews:
  profile: "assertive"
  request_changes_workflow: false
  high_level_summary: true
  review_status: true
  poem: false
  sequence_diagrams: true

  auto_review:
    enabled: true
    drafts: false
    ignore_title_keywords:
      - "WIP"
      - "DO NOT MERGE"
      - "chore: bump"

  path_filters:
    - "!**/*.lock"
    - "!**/*.snap"
    - "!**/generated/**"
    - "!dist/**"
    - "!vendor/**"

  # Organization-wide coding standards
  path_instructions:
    - path: "**"
      instructions: |
        Org-wide rules:
        1. Flag hardcoded secrets, API keys, or credentials
        2. Check for proper error handling (no empty catch blocks)
        3. Verify input validation on API endpoints

chat:
  auto_reply: true

Step 4: Team-Specific Repository Overrides

# .coderabbit.yaml in a specific repo (overrides org defaults)
reviews:
  profile: "assertive"      # Can override org default
  request_changes_workflow: true   # This repo requires CR approval

  auto_review:
    enabled: true
    base_branches:
      - main                 # Only review PRs targeting main
    drafts: false

  path_instructions:
    - path: "src/auth/**"
      instructions: |
        SECURITY-CRITICAL path. Check for:
        - Auth bypass vulnerabilities
        - Injection attacks
        - Improper session handling
        - Token validation gaps
    - path: "src/payments/**"
      instructions: |
        PCI-SENSITIVE path. Check for:
        - Credit card data handling
        - Proper encryption usage
        - Audit logging of financial operations
    - path: "migrations/**"
      instructions: |
        Verify: backward compatibility, rollback safety,
        no data loss on down migration.

Step 5: Audit Review Activity

set -euo pipefail
ORG="${1:-your-org}"

echo "=== CodeRabbit Org-Wide Review Audit ==="
echo "Organization: $ORG"
echo ""

# List repos with CodeRabbit installed
echo "--- Repos with CodeRabbit ---"
for REPO in $(gh repo list "$ORG" --limit 50 --json name --jq '.[].name'); do
  INSTALLED=$(gh api "repos/$ORG/$REPO/installation" --jq '.app_slug' 2>/dev/null || echo "none")
  if [ "$INSTALLED" = "coderabbitai" ]; then
    # Count recent reviews
    REVIEWS=$(gh api "repos/$ORG/$REPO/pulls?state=closed&per_page=10" --jq '.[].number' 2>/dev/null | \
      head -5 | xargs -I{} gh api "repos/$ORG/$REPO/pulls/{}/reviews" \
        --jq '[.[] | select(.user.login=="coderabbitai[bot]")] | length' 2>/dev/null | \
      awk '{sum+=$1} END {print sum+0}')
    echo "  $REPO: $REVIEWS reviews (last 5 PRs)"
  fi
done

Step 6: Enterprise SSO and Compliance

# CodeRabbit Enterprise plan includes:

1. SSO Integration:
   - GitHub Enterprise Cloud SSO (SAML)
   - GitLab SAML SSO
   - Automatic seat provisioning via SCIM

2. Data Residency:
   - Code is processed and not stored (ephemeral analysis)
   - Review comments stored in your Git provider (GitHub/GitLab)
   - CodeRabbit learnings stored on CodeRabbit servers
   - SOC 2 Type II certified

3. Compliance Features:
   - Audit logs available in enterprise dashboard
   - Data processing agreement (DPA) available
   - Custom data retention policies
   - IP allowlisting for self-hosted GitLab

# Contact: enterprise@coderabbit.ai for custom plans

Output

  • Repository access scoped to appropriate repos
  • Seat management configured with bot exclusions
  • Organization-level defaults deployed
  • Team-specific review policies applied
  • Audit script for review activity monitoring

Error Handling

| Issue | Cause | Solution | |-------|-------|----------| | CodeRabbit not reviewing PRs | App not installed on repo | Add repo in GitHub App settings | | Seat limit exceeded | Too many active committers | Remove inactive users or upgrade plan | | Org config not applying | No .github repo in org | Create .github repo with .coderabbit.yaml | | Repo config ignored | YAML syntax error | Validate YAML, check with @coderabbitai configuration | | Bot consuming seats | Bot opens PRs | Exclude bot usernames in seat management |

Resources

Next Steps

For cost optimization, see coderabbit-cost-tuning.