https://github.com/korext/ai-attestation
An open standard for tracking AI generated code in your repository. Detects Copilot, Cursor, Claude Code, and 8 more tools.
https://github.com/korext/ai-attestation
ai attestation claude-code compliance copilot cursor developer-tools git-hook governance open-standard transparency yaml
Last synced: 2 months ago
JSON representation
An open standard for tracking AI generated code in your repository. Detects Copilot, Cursor, Claude Code, and 8 more tools.
- Host: GitHub
- URL: https://github.com/korext/ai-attestation
- Owner: Korext
- License: apache-2.0
- Created: 2026-04-16T04:15:36.000Z (2 months ago)
- Default Branch: main
- Last Pushed: 2026-04-16T06:09:57.000Z (2 months ago)
- Last Synced: 2026-04-16T06:39:11.285Z (2 months ago)
- Topics: ai, attestation, claude-code, compliance, copilot, cursor, developer-tools, git-hook, governance, open-standard, transparency, yaml
- Language: JavaScript
- Homepage: https://oss.korext.com/ai-attestation
- Size: 35.2 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
README
# AI Attestation
> **An open standard for tracking AI generated code in your repository.**
[](https://oss.korext.com/ai-attestation/report/Korext/ai-attestation)
[](LICENSE)
[](LICENSE-SCHEMA)
[](https://www.npmjs.com/package/@korext/ai-attestation)
AI Attestation is a machine readable YAML file placed in your repository root
that tracks which AI coding tools were used, how much code they generated,
and whether that code has been governance scanned.
## Why
Enterprises, open source maintainers, and compliance teams increasingly need
to answer:
- **How much of this codebase was written by AI?**
- **Which AI tools were used?**
- **Has the AI generated code been reviewed or scanned?**
AI Attestation provides a single, standardized file that answers all three.
## Quick Start
```bash
npx @korext/ai-attestation init
```
This will:
1. Scan your git history for AI tool signatures
2. Create `.ai-attestation.yaml` in your repo root
3. Install a post-commit hook to keep it updated
That's it. The file updates automatically on every commit.
## What It Detects
AI Attestation identifies tools through publicly observable signals:
| Method | Description | Reliability |
|--------|-------------|-------------|
| **Co-author trailer** | `Co-authored-by: Copilot ` | ✅ High |
| **Commit message pattern** | `Generated by Copilot`, `via Cursor` | ⚠️ Medium |
| **Metadata header** | `// @cursor-generated` | ⚠️ Medium |
| **Git config** | `copilot.enabled = true` | ℹ️ Low |
### Supported Tools
| Tool | Identifier | Detection |
|------|-----------|-----------|
| GitHub Copilot | `copilot` | Co-author, commit message, config |
| Cursor | `cursor` | Co-author, commit message |
| Claude Code | `claude-code` | Co-author, commit message |
| Windsurf | `windsurf` | Commit message, file header |
| Codeium | `codeium` | Commit message, file header |
| Aider | `aider` | Co-author, commit message |
| Devin | `devin` | Co-author, commit message |
| OpenHands | `openhands` | Co-author, commit message |
| Amazon Q Developer | `amazon-q` | Commit message, file header |
| OpenAI Codex CLI | `codex-cli` | Commit message, file header |
| Gemini Code Assist | `gemini-code-assist` | Commit message |
| JetBrains AI | `jetbrains-ai` | Commit message, file header |
| Sourcegraph Cody | `sourcegraph-cody` | Co-author, commit message |
| Tabnine | `tabnine` | Commit message, file header |
| Replit AI | `replit-ai` | Commit message, file header |
| Cline | `cline` | Co-author, commit message |
| Continue | `continue` | Commit message, config |
| GPT Engineer | `gpt-engineer` | Co-author, commit message |
| Bolt | `bolt` | Commit message, file header |
Missing a tool? [Add it](CONTRIBUTING.md)
## The File
```yaml
# AI Attestation
# https://oss.korext.com/ai-attestation
schema: https://oss.korext.com/ai-attestation/schema
version: "1.0"
repo:
owner: acme
name: payments-service
url: https://github.com/acme/payments-service
generated: "2026-04-15T12:00:00Z"
range:
from: "2025-01-01T00:00:00Z"
to: "2026-04-15T12:00:00Z"
commits: 1247
ai:
assisted_commits: 438
percentage: 35.1
tools:
- name: GitHub Copilot
identifier: copilot
first_seen: "2025-09-01"
last_seen: "2026-04-15"
commit_count: 312
- name: Cursor
identifier: cursor
first_seen: "2026-01-15"
last_seen: "2026-04-14"
commit_count: 89
detection_methods:
- co-author-trailer
- commit-message-pattern
```
See more examples in [`examples/`](examples/).
## CLI Commands
```bash
# Initialize (scan + create file + install hook)
ai-attestation init
# Re-scan and update
ai-attestation scan
# Print attestation summary
ai-attestation report
# Generate badge markdown
ai-attestation badge
# Manage git hooks
ai-attestation hook install
ai-attestation hook remove
ai-attestation hook install --type pre-commit
```
## GitHub Action
Enforce AI code policies in CI:
```yaml
# .github/workflows/ai-attestation.yml
name: AI Attestation
on: [push, pull_request]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: korext/ai-attestation@v1
with:
minimum-governance-score: 80
block-unscanned: true
mandatory-packs: security
```
### Action Inputs
| Input | Default | Description |
|-------|---------|-------------|
| `fail-on-missing` | `true` | Fail if `.ai-attestation.yaml` is missing |
| `minimum-governance-score` | | Minimum score to pass (0-100) |
| `block-unscanned` | | Block AI code without governance scan |
| `require-review` | | Require human review for AI code |
| `mandatory-packs` | | Comma-separated required governance packs |
| `attestation-path` | `.ai-attestation.yaml` | Path to attestation file |
### Action Outputs
| Output | Description |
|--------|-------------|
| `result` | `PASS`, `WARN`, or `FAIL` |
| `ai-percentage` | Percentage of AI assisted commits |
| `governance-score` | Current governance score |
| `tools-detected` | Comma separated list of tools |
| `summary` | Human readable summary |
## Governance
The `governance` section is designed to be populated by any governance engine.
When configured, a governance engine reads the attestation file, scans the
AI generated code, and writes its results back:
```yaml
governance:
engine: KOREXT
last_scan: "2026-04-15T10:00:00Z"
result: PASS
score: 94
packs:
- security
- modernization
findings:
critical: 0
high: 1
medium: 3
low: 7
```
The governance section is engine-agnostic. Any tool can populate it.
## Privacy
AI Attestation processes **git metadata only**:
- Commit messages
- Author names and emails
- Commit dates
It **never** reads source code. All processing happens locally. No network
calls. No telemetry. The output file contains only aggregate counts.
## Specification
The full specification is available at [SPEC.md](SPEC.md).
The JSON Schema is available at [schema.json](schema.json).
Both are released under [CC0 1.0 Universal](LICENSE-SCHEMA) (public domain).
## Badge
Add a badge to your README after running `ai-attestation init`:
```bash
ai-attestation badge
```
This outputs markdown you can paste into your README:
```markdown
[](https://oss.korext.com/report/owner/repo)
```
## Contributing
See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines on adding new tools,
reporting false positives, and proposing spec changes.
## License
- **Code** (CLI, action, tools): [Apache License 2.0](LICENSE)
- **Specification & Schema**: [CC0 1.0 Universal](LICENSE-SCHEMA) (public domain)
## Related Projects
| Project | Description |
|---------|-------------|
| [AI License Notice](https://github.com/korext/ai-license) | Declare AI provenance in open source projects |
| [Supply Chain Attestation](https://github.com/korext/supply-chain-attestation) | AI provenance across your dependency tree |
| [AI Incident Registry](https://github.com/korext/ai-incident-registry) | Public registry for AI code failures |
---
Built by [Korext](https://korext.com) | [oss.korext.com/ai-attestation](https://oss.korext.com/ai-attestation)