Ways to run it — most install nothing
One engine underneath: identical scans, identical numbers. Only the wrapper changes. The first four below put nothing on anyone's machine.
GitHub Action
Drop it into a workflow and every pull request is measured and scanned automatically. Posts a comment and can block a merge.
On-demand / scheduled
The same Action run from a manual button or on a nightly schedule — a one-off scan or a trend run, with no pull-request coupling.
Docker container
Pull one image and run it anywhere Docker runs — local, CI, or a locked-down corporate runner. No tool to install.
Codespaces
Open a Codespace and CodeDelta is ready in the terminal — try it on your own repo from a browser tab, on your own GitHub account.
Headless CLI
For teams that can install: one command from the downloaded bundle on macOS, Windows or Linux. Writes HTML, CSV and JSON.
Any other CI
The engine is just a binary. Fetch the public bundle in any pipeline or self-hosted runner and run it — the Action is a GitHub convenience, not a requirement.
The GitHub Action — measured on every PR
The headline path: once it's in a team's CI, every pull request is measured — no one has to remember to run anything. Two steps to set up, then it's invisible. New to GitHub Actions? Follow the step-by-step quickstart →
Add the workflow file
Drop ~12 lines into
.github/workflows/codedelta.yml. It references the published Action by tag.Open a pull request
That's it — free and fully unlocked during the beta (to 31 July 2026), no license, no secrets. To run past the beta or bring your own license sooner, add a
CODEDELTA_LICENSEsecret; it overrides the beta license automatically.
When a developer opens a pull request, GitHub spins up a throwaway Linux machine, downloads the
CodeDelta engine, runs the scan against the changed code, and reports back. The runner is then wiped —
no install persists, and the code never leaves the customer's own GitHub account.
Forks get no secrets (the workflow uses pull_request, never pull_request_target),
so a stranger's PR can't exfiltrate your license.
The comment CodeDelta posts on the pull request
PR comment
A churn summary and any AI/agent findings posted straight onto the pull request, where reviewers already are. Works on every repo, public or private.
Security tab SARIF
Findings surfaced as code-scanning alerts — free on public repos, or with GitHub Advanced Security on private ones.
Merge gate
A non-zero exit can block the merge — fail the build on new findings against an accepted baseline, or on a policy-gate breach.
Artifacts
The full HTML reports and raw CSV saved as build artifacts for download or trend tracking.
Run it without the PR gate — on demand or on a schedule
Don't want it tied to pull requests? Trigger the same job manually from the Actions tab, or on a nightly cron — a one-off scan or a rolling trend, no PR required.
Run it as a container
For environments that won't allow local installs but do allow pulling approved images — which is most hardened corporate CI. One image, runs anywhere Docker runs.
The image carries the compiled engine and everything it needs — no Python setup, no dependencies to resolve. The license is passed in as an environment variable or a mounted file. The same image runs on a laptop, a CI runner, or a self-hosted box, identically.
…or in the browser with Codespaces
Open the repo in a GitHub Codespace and CodeDelta is ready in the terminal — evaluate it on your own code from a browser tab, with nothing installed locally. The Codespace runs on your own GitHub account's compute (within its free allowance), so there's no shared cost or sign-up wall.
The headless CLI
For teams that can install: terminals and cron jobs on any OS — macOS, Windows or Linux. The command is identical everywhere. Point it at two snapshots to measure churn; add a mode for the AI scans.
| Mode | What it runs | Use it for |
|---|---|---|
churn | churn only (no AI) | the default — most runs |
both | churn + AI audit + agent scan | everything in one pass |
ai_audit | AI audit + agent (no churn) | single-project AI review |
agent | agent scan only | where code calls AI at runtime |
ai | AI authorship scan only | generated-code detection alone |
Licensing built for CI
One RSA-signed license file, verified entirely offline — no phone-home, no account, no network call.
During the free beta (to 31 July 2026) the GitHub
Action needs no license at all — one is built in, fully unlocked. Beyond that: CI machines are
different every run, so CodeDelta uses a time-limited license (gated by an expiry date, not
locked to a hostname). In CI it lives as a GitHub secret; the Action decodes it to a file at runtime — and it
overrides the built-in beta license automatically. The same license works in a container, on a
developer's laptop, a build server, or a cron host — wherever the engine finds a CODEDELTA_LICENSE
path, it uses it. The downloadable bundle is public; the license gates execution, not download.
How it fits together — architecture & run flow (diagrams)
The C++ engine does the measurement. The AI features live in the Python layer above it.
Put CodeDelta in your pipeline
Add the Action to a repo, or pull the engine bundle into any CI. The license gates execution, so the artifacts can sit in the open — grab them and go.
Need a trial license? Try CodeDelta and we'll send one.