Documentation
Drift detection
Every PR is scanned. New AI vendor or new data field → blocking review.
Last updated May 6, 2026
The single feature most customers tell us they couldn't live without. Drift detection runs on every pull request and surfaces the answer to "would this PR invalidate any of my published documents?"
How it works
- A GitHub webhook subscribes to
pull_request.openedandpull_request.synchronize. - We run the scanner on the PR's merge ref.
- We diff the findings against
main's most recent scan. - We post a check run on the PR with one of three states:
- Pass. No relevant changes.
- Soft warning. Changes exist but don't affect any published document.
- Blocking review. Changes invalidate one or more published documents.
What counts as drift
| Change | Effect |
|---|---|
| New AI subprocessor added | Blocking review on AI Trust Center, DPA. |
| Existing AI subprocessor removed | Soft warning. |
| New OSS dependency outside license allowlist | Blocking review on OSS Attribution. |
| New personal-data field flowing into AI | Blocking review on AI Trust Center, Privacy Policy. |
| New environment variable named like an API key | Soft warning. |
| Lockfile-only change with same canonical detector matches | No effect. |
Reviewing in the dashboard
The PR check links back to a page in your dashboard that shows:
- The exact diff in findings.
- A side-by-side preview of what the document would look like before and after the merge.
- Approve / reject buttons.
Auto-merge integrations
Many teams use auto-merge bots like Mergify or GitHub's native auto-merge. Attestly's check is a regular GitHub check, so any branch protection rule that requires it before merge will block auto-merges that introduce unreviewed drift.