Configuration Guide

Bop uses a layered configuration system that allows zero-config operation while supporting extensive customization.

Configuration Locations

Bop searches for configuration files in this order:

./bop.yaml or ./.bop.yaml - Project-level configuration (highest priority)
~/.config/bop/bop.yaml - User configuration
Embedded defaults - Built into the binary

Tip: Use .bop.yaml (dotfile) to keep your project config out of the way, or bop.yaml if you prefer it visible.

Configuration Priority

Settings are merged from multiple sources (highest to lowest priority):

CLI flags - e.g., --block-threshold medium
Environment variables - e.g., BOP_REVIEW_BLOCKTHRESHOLD=medium
Local config file - ./bop.yaml, ./.bop.yaml, or ~/.config/bop/bop.yaml
Embedded defaults - Built into the binary

Complete Configuration Reference

Providers

Configure LLM providers for code reviews. By default, only an Anthropic API key is needed.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
providers:
  anthropic:
    enabled: true              # null=auto, true=force, false=disable
    apiKey: ${ANTHROPIC_API_KEY}
    defaultModel: claude-sonnet-4-5
    timeout: 180s
    maxOutputTokens: 8192

  # Optional: additional providers for custom multi-reviewer setups
  openai:
    enabled: true
    apiKey: ${OPENAI_API_KEY}
    defaultModel: gpt-5.2
    timeout: 180s
    maxOutputTokens: 8192

  gemini:
    enabled: true
    apiKey: ${GEMINI_API_KEY}
    defaultModel: gemini-3-pro-preview
    timeout: 180s
    maxOutputTokens: 8192

  ollama:
    enabled: false
    defaultModel: codellama
    # No API key needed - uses local Ollama instance

Provider States:

enabled: null (default) - Auto-enabled if API key is present
enabled: true - Force enable (fails if API key missing)
enabled: false - Disabled regardless of API key

Reviewers

Define reviewers with distinct personas and focus areas. Bop ships with a single default reviewer that uses Anthropic and relies on the review.instructions block for guidance.

1
2
3
4
5
6
7
8
9
# Built-in default — this is what ships out of the box
reviewers:
  default:
    provider: anthropic
    weight: 1.0
    # No persona — uses review.instructions for guidance

defaultReviewers:
  - default

Custom Multi-Reviewer Panel

You can define specialized reviewers backed by any configured provider:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
reviewers:
  default:
    provider: anthropic
    weight: 1.0

  security:
    provider: anthropic
    weight: 1.5                 # Higher weight = more influence in consensus
    persona: |
      You are a security engineer focusing on OWASP Top 10,
      authentication, authorization, and injection vulnerabilities.
    focus:
      - security
      - authentication
      - authorization
    ignore:
      - style
      - documentation

  architecture:
    provider: openai
    weight: 1.0
    persona: |
      You are a software architect focusing on SOLID principles,
      design patterns, and long-term maintainability.
    focus:
      - maintainability
      - architecture
      - complexity
    ignore:
      - performance

  performance:
    provider: gemini
    model: gemini-3-flash-preview   # Override provider's default
    weight: 1.0
    persona: |
      You are a performance engineer focusing on N+1 queries,
      algorithm complexity, and resource management.
    focus:
      - performance
      - scalability
      - resource_management
    ignore:
      - style
      - documentation

# Use your custom reviewers by default
defaultReviewers:
  - security
  - architecture
  - performance

See Reviewer Personas for more details.

Output

Configure where review artifacts are written.

1
2
output:
  directory: review-output       # Relative or absolute path

Output files:

review-{provider}-{timestamp}.md - Markdown format
review-{provider}-{timestamp}.json - JSON format
review-{provider}-{timestamp}.sarif - SARIF format

Review Behavior

Control how reviews behave and affect PR status.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
review:
  botUsername: github-actions[bot]   # Bot username for auto-dismiss
  blockThreshold: high               # critical, high, medium, low, none

  alwaysBlockCategories:             # These always trigger REQUEST_CHANGES
    - security

  postOutOfDiffAsComments: true      # Post out-of-diff findings as issue comments

  actions:                           # Fine-grained action control
    onCritical: request_changes
    onHigh: request_changes
    onMedium: comment
    onLow: comment
    onClean: approve
    onNonBlocking: comment

  instructions: |                    # Custom instructions for all reviewers
    Focus on security and correctness.
    Ignore style issues unless they affect readability.

Block Threshold Values:

critical - Only critical findings block
high - Critical and high block
medium - Critical, high, and medium block
low - All findings block
none - Nothing blocks (comment-only mode)

Verification

Configure agent-based verification of findings to reduce false positives. Verification is disabled by default since it requires a separate LLM call.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
verification:
  enabled: false                     # Disabled by default
  provider: gemini
  model: gemini-3-flash-preview
  depth: medium                      # minimal, medium, thorough
  costCeiling: 0.50                  # Max cost in dollars
  maxTokens: 64000

  confidence:                        # Thresholds per severity
    default: 75
    critical: 60
    high: 70
    medium: 75
    low: 85

Verification Depth:

minimal - Quick sanity check
medium - Standard verification
thorough - Deep analysis with multiple passes

Merge Settings

Configure how findings from multiple reviewers are combined. Only relevant when using multiple reviewers.

1
2
3
4
5
6
7
merge:
  enabled: true
  strategy: consensus                # Merge strategy
  provider: anthropic                # Provider for synthesis
  model: claude-haiku-4-5
  weightByReviewer: true             # Weight findings by reviewer weight
  respectFocus: true                 # Respect reviewer focus areas

Theme Extraction

Reduce repeat findings by learning patterns across review rounds.

1
2
3
4
5
6
7
8
themeExtraction:
  enabled: true
  strategy: comprehensive            # abstract, specific, comprehensive
  provider: anthropic
  model: claude-haiku-4-5
  maxTokens: 4096
  minFindingsForTheme: 3             # Min findings before extraction
  maxThemes: 10

Deduplication

Remove duplicate findings across providers.

1
2
3
4
5
6
7
8
deduplication:
  semantic:
    enabled: true
    provider: anthropic
    model: claude-haiku-4-5
    maxTokens: 64000
    lineThreshold: 50                # Only compare within N lines
    maxCandidates: 200               # Max pairs to compare

Size Guards

Prevent context overflow on large PRs.

1
2
3
4
5
6
7
8
9
sizeGuards:
  enabled: true
  warnTokens: 150000
  maxTokens: 200000

  providers:                         # Per-provider overrides
    gemini:
      warnTokens: 750000
      maxTokens: 1000000

Redaction

Protect secrets from being sent to LLM providers.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
redaction:
  enabled: true

  denyGlobs:                         # Always redact these patterns
    - "**/*.env"
    - "**/*.pem"
    - "**/*.key"
    - "**/secrets.*"
    - "**/credentials.*"

  allowGlobs:                        # Explicit allow (overrides deny)
    - "**/*.env.example"

Determinism

Enable reproducible reviews.

1
2
3
4
determinism:
  enabled: false
  temperature: 0.0                   # 0.0 = consistent, 1.0 = creative
  useSeed: true                      # Use deterministic seed

Observability

Configure logging and metrics.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
observability:
  logging:
    enabled: true
    level: info                      # trace, debug, info, error
    format: human                    # human, json
    redactAPIKeys: true
    maxContentBytes: 10000           # Max bytes to log (0 = unlimited)

  metrics:
    enabled: true

HTTP

Configure HTTP client behavior.

1
2
3
4
5
6
http:
  timeout: 120s
  maxRetries: 3
  initialBackoff: 1s
  maxBackoff: 30s
  backoffMultiplier: 2.0

Store

Configure SQLite persistence for review history.

1
2
3
store:
  enabled: true
  path: ~/.config/bop/reviews.db

Planning

Configure interactive planning mode.

1
2
3
4
5
6
planning:
  enabled: false
  provider: anthropic
  model: claude-sonnet-4-5
  maxQuestions: 5
  timeout: 30s

Environment Variables

All configuration options can be overridden via environment variables with the BOP_ prefix. Nested keys use underscores:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# Provider settings
export BOP_PROVIDERS_ANTHROPIC_APIKEY="sk-ant-..."
export BOP_PROVIDERS_OPENAI_DEFAULTMODEL="gpt-4o"

# Review settings
export BOP_REVIEW_BLOCKTHRESHOLD="medium"
export BOP_REVIEW_ALWAYSBLOCKCATEGORIES="security,bug"

# Output
export BOP_OUTPUT_DIRECTORY="./my-reviews"

# Logging
export BOP_OBSERVABILITY_LOGGING_LEVEL="debug"

# Verification
export BOP_VERIFICATION_ENABLED="true"
export BOP_VERIFICATION_DEPTH="thorough"

Example Configurations

Minimal Configuration

1
2
3
4
# Just use defaults with your API key — this is all you need
providers:
  anthropic:
    apiKey: ${ANTHROPIC_API_KEY}

Security-Focused Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
providers:
  anthropic:
    apiKey: ${ANTHROPIC_API_KEY}

reviewers:
  default:
    provider: anthropic
    weight: 1.0

  security:
    provider: anthropic
    weight: 1.5
    persona: |
      You are a security engineer focusing on OWASP Top 10,
      injection attacks, and sensitive data exposure.
    focus:
      - security
      - authentication
      - authorization

defaultReviewers:
  - default
  - security

review:
  blockThreshold: medium
  alwaysBlockCategories:
    - security
    - bug

verification:
  enabled: true
  confidence:
    critical: 95
    high: 90

Cost-Conscious Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
providers:
  ollama:
    enabled: true
    defaultModel: codellama

  gemini:
    enabled: true
    apiKey: ${GEMINI_API_KEY}
    defaultModel: gemini-3-flash-preview  # Faster, cheaper model

reviewers:
  quick:
    provider: gemini
    model: gemini-3-flash-preview
    weight: 1.0

defaultReviewers:
  - quick

verification:
  enabled: false  # Skip verification to reduce costs

merge:
  enabled: false  # Skip merge synthesis

Multi-Reviewer Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
providers:
  anthropic:
    apiKey: ${ANTHROPIC_API_KEY}
  openai:
    apiKey: ${OPENAI_API_KEY}

reviewers:
  security:
    provider: anthropic
    weight: 1.5
    persona: |
      You are a security engineer focusing on OWASP Top 10,
      injection attacks, and sensitive data exposure.
    focus:
      - security

  architecture:
    provider: openai
    weight: 1.0
    persona: |
      You are a software architect focusing on SOLID principles,
      design patterns, and long-term maintainability.
    focus:
      - maintainability
      - architecture

  performance:
    provider: anthropic
    weight: 1.0
    persona: |
      You are a performance engineer focusing on N+1 queries,
      algorithm complexity, and resource management.
    focus:
      - performance

defaultReviewers:
  - security
  - architecture
  - performance

review:
  blockThreshold: high
  alwaysBlockCategories:
    - security

verification:
  enabled: true
  depth: thorough
  confidence:
    critical: 95
    high: 90
    medium: 80

redaction:
  enabled: true
  denyGlobs:
    - "**/*.env"
    - "**/*.pem"
    - "**/secrets/**"

observability:
  logging:
    enabled: true
    level: info
    format: json
  metrics:
    enabled: true

Documentation