Impact-AI is an automated, AI-powered code impact analysis and risk assessment system for GitHub Pull Requests. It uses static code analysis, dependency graph traversal, and intelligent risk scoring to help teams understand the blast radius of code changes, enforce merge policies, and prevent risky code from reaching production.
- Overview
- Key Features
- Architecture
- Technology Stack
- How It Works
- Installation & Setup
- Configuration
- Usage
- Example Output
- AI-Powered Enhancements (Future)
- Project Structure
- Contributing
The Problem:
Modern software development teams face a critical challenge: understanding the true impact of code changes before merging. A seemingly small change can have cascading effects across the codebase, leading to bugs, performance degradation, or system failures in production.
The Solution:
Impact-AI automatically analyzes every Pull Request to:
- Identify exactly which methods/classes were changed (line-level precision)
- Trace the impact through the entire codebase using dependency graph analysis
- Calculate a risk score based on complexity, annotations, impact depth, and change type
- Enforce merge policies via GitHub Status Checks (block HIGH/CRITICAL risk PRs)
- Provide actionable feedback to developers and reviewers
This system acts as an automated code guardian, ensuring that only safe, well-understood changes reach your main branch.
- Parses unified diffs to extract exact line ranges changed
- Maps changes to specific Java methods (not just files)
- Eliminates false positives from unrelated code in the same file
- Constructs a complete call/dependency graph of your codebase
- Tracks method-to-method calls, class dependencies, and injection relationships
- Stores method complexity, annotations, and metadata for each node
- Traverses the graph to find all directly and indirectly impacted methods/classes
- Calculates impact depth (how many hops downstream the change propagates)
- Identifies critical bottleneck methods that affect many downstream components
Computes risk based on:
- Change Type: Logic changes vs. comments/documentation
- Method Complexity: Number of method calls and cyclomatic complexity
- Critical Annotations:
@Transactional,@CacheEvict,@Scheduled, security annotations - Impact Breadth & Depth: Number of impacted nodes and propagation distance
- Special Cases: Comment-only changes automatically get LOW risk
Risk Levels: LOW | MEDIUM | HIGH | CRITICAL
- Posts commit statuses (
pendingβsuccess/failure) for each PR - Integrates with GitHub Branch Protection Rules
- Blocks merging of HIGH/CRITICAL risk PRs until reviewed
- Provides visual feedback in the GitHub UI (green check β or red X β)
- Auto-generates detailed Markdown reports on each PR
- Lists changed methods, impacted methods, and risk analysis
- Includes clickable links to exact file/line locations on GitHub
- Explains the reasoning behind the risk score
- Exports dependency graph as JSON for visualization in Cytoscape.js, Gephi, or similar tools
- Enables teams to explore codebase structure and identify architectural issues
- Receives GitHub webhook events (PR opened, updated, reopened)
- Extracts PR metadata: owner, repo, PR number, head SHA, changed files
- Triggers async processing to avoid webhook timeouts
- Uses Spoon (Java AST parser) to extract:
- Classes, methods, method signatures
- Method start/end line numbers
- Annotations (e.g.,
@Transactional,@RestController) - Method calls and dependencies
- Supports incremental parsing (only parse changed files, not entire repo each time)
- Constructs an in-memory directed graph:
- Nodes: Classes and methods
- Edges: Method calls, dependency injection relationships
- Stores metadata per node:
- Method complexity (number of calls)
- Annotations
- File path and line numbers
- Parses unified diff format (
@@hunks) to extract changed line ranges - Maps changed lines to specific methods using AST metadata
- Achieves method-level precision (not just file-level)
- Given a set of changed methods, performs graph traversal (BFS/DFS)
- Finds all transitively impacted methods (direct callers, indirect downstream)
- Calculates impact depth (maximum distance from changed node)
- Outputs: List of impacted nodes, depth, complexity metrics
Computes risk score using a multi-factor formula:
Risk Score = Base Γ DepthMultiplier Γ AffectedMultiplier Γ ComplexityMultiplier Γ CriticalMultiplier
Where:
- DepthMultiplier: Based on impact depth (0-1 = 1.0, 2-3 = 1.5, 4+ = 2.0)
- AffectedMultiplier: Based on number of impacted nodes
- ComplexityMultiplier: Based on average complexity of changed methods
- CriticalMultiplier: 1.5x if changed methods have critical annotations
Special Rules:
- Comment-only changes β Force to
LOWrisk - Logic changes in critical methods β Boost to
HIGH/CRITICAL
- Status API: Posts commit statuses with context "Impact-AI Risk"
- Comment API: Posts rich Markdown report to PR
- Branch Protection: Configured to require "Impact-AI Risk" check before merge
- Uses Spring's
@Asyncwith custom thread pool (webhookExecutor) - Returns HTTP 200 to GitHub immediately, processes in background
- Prevents webhook timeouts and enables parallel PR analysis
| Component | Technology |
|---|---|
| Backend Framework | Spring Boot 3.x |
| Language | Java 17+ |
| Code Parser | Spoon (Java AST) |
| Build Tool | Gradle |
| Concurrency | Spring Async (@Async) |
| GitHub Integration | GitHub REST API (Webhooks, Statuses, Comments) |
| Data Format | JSON (for graph export) |
| Graph Visualization | Cytoscape.js, Gephi (external) |
| Logging | SLF4J + Logback |
- Developer opens/updates a Pull Request
- GitHub sends webhook to Impact-AI server
- Impact-AI responds immediately with HTTP 200 (webhook accepted)
- Async processing begins:
- Post "pending" status to GitHub: "Impact analysis in progress..."
- Fetch changed files and patches from GitHub API
- Parse changed Java files to extract methods/classes
- Build/update dependency graph
- Extract changed node IDs using line-level detection
- Run impact analysis to find transitive effects
- Analyze patches for comment-only changes
- Check for critical annotations in changed methods
- Calculate risk score
- Post final status:
success(LOW/MEDIUM) orfailure(HIGH/CRITICAL) - Post detailed PR comment with impact report
- GitHub UI updates:
- Shows status check result (green β or red β)
- Displays PR comment with analysis
- Enforces branch protection (blocks merge if HIGH/CRITICAL)
PR Changes:
- Modified
ProductServiceImpl.updateProduct()(1 method, 23 method calls) - Added a comment in
CategoryController.getAllCategories()
Impact-AI Analysis:
- Changed Nodes: 1 (
updateProduct) - Impacted Nodes: 2 (
dtoToProduct,productToDto) - Impact Depth: 2
- Complexity: High (23 calls)
- Critical Methods: Yes (
@Cachingannotation detected) - Comment-Only: No (logic change detected)
- Risk Score:
HIGH
Result:
- Status check: β
failureβ "Impact-AI Risk: HIGH β Do NOT merge!" - PR blocked from merging
- Comment posted with details and recommendations
- Java 17 or higher
- Gradle 7.x+
- GitHub Personal Access Token with
reposcope - GitHub repository with admin access (for webhook setup)
git clone https://github.com/001ak/impact-ai-test cd impact-ai
Create src/main/resources/application.properties:
Server Configuration server.port=8080
GitHub Configuration github.token=YOUR_GITHUB_PERSONAL_ACCESS_TOKEN
Async Configuration async.executor.core-pool-size=5 async.executor.max-pool-size=10 async.executor.queue-capacity=100
./gradlew clean build
./gradlew bootRun
The application will start on http://localhost:8080.
- Go to your GitHub repository β Settings β Webhooks β Add webhook
- Payload URL:
http://your-server-domain.com/api/webhook/pr - Content type:
application/json - Events: Select "Pull requests"
- Active: β Check
- Save webhook
- Go to Settings β Branches β Branch protection rules
- Add rule for
mainbranch - Enable "Require status checks to pass before merging"
- Search for and select "Impact-AI Risk"
- Save changes
Your GitHub Personal Access Token needs:
repo(full access to repositories)write:discussion(to post PR comments)
Edit ImpactAnalysisService.java:
if (score < 1.5) return "LOW"; if (score < 3.0) return "MEDIUM"; if (score < 5.0) return "HIGH"; return "CRITICAL";
Add/remove annotations in WebhookProcessingService.java:
private boolean isCriticalAnnotation(String annotation) { String[] criticalAnnotations = { "Transactional", "CacheEvict", "Cacheable", "Scheduled", "Async", "PreAuthorize", ... }; // ... }
Simply open or update a Pull Request in your configured repository. Impact-AI will automatically:
- Analyze the changes
- Post a status check
- Add a detailed comment
In Pull Request UI:
- See status check: β Safe to merge or β Blocked
- Read full impact analysis in PR comments
Example Comment:
π PR Impact Analysis Changed Nodes com.example.service.ProductServiceImpl.updateProduct
Impacted Nodes (direct + downstream) com.example.service.ProductServiceImpl.productToDto
com.example.service.ProductServiceImpl.dtoToProduct
Impact Depth: 2 Risk: HIGH This comment was generated automatically by Impact-AI.
After analysis, find impact-graph.json in your working directory. Upload to:
- Cytoscape.js Online Viewer
- Gephi (for large graphs)
β All checks have passed Impact-AI Risk β Impact-AI Risk: LOW β Safe to merge.
β Some checks were not successful Impact-AI Risk β Impact-AI Risk: HIGH β Do NOT merge!
While the current system uses sophisticated static analysis and rule-based risk scoring, we have architected the system to seamlessly integrate AI/ML capabilities in the future:
- Use GPT-4 or similar models to provide actionable recommendations per changed method
- Example output:
ProductServiceImpl.updateProduct
π‘ Add unit tests for null price scenarios
π‘ Verify downstream impact on checkout flow
π‘ Document new pricing logic in wiki
- Analyze PR title, description, and commit messages
- Classify PR type: Feature, Bugfix, Refactor, Documentation
- Adjust risk scoring based on declared intent vs. actual changes
- Train ML model on past PRs and their outcomes (bugs, reverts, incidents)
- Predict risk based on:
- Code patterns that led to issues in the past
- Developer experience and code ownership
- Time of day, sprint phase, etc.
- Recommend specific test cases based on changed logic
- Identify untested code paths in impacted methods
- Move beyond structural analysis to understand code semantics
- Detect potential bugs, security vulnerabilities, performance issues
Our architecture is designed for AI extensibility:
- Clean separation between analysis engine and risk scoring
- Rich metadata available for each node (complexity, annotations, history)
- Structured data flows (JSON exports, API-ready)
- Spring Boot makes REST API calls to AI services trivial
AI Integration Point: @Service public class AIGuidanceService { public List getCodeGuidance(String diff, String risk, String context) { // Call OpenAI/HuggingFace API // Return actionable suggestions } }
Contributions are welcome! Please follow these steps:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
- First-of-its-kind line-level precision for Java PR analysis
- Graph-based impact propagation instead of naive file-level checks
- Automated merge governance that actually works in production
- Clean, modular architecture with clear separation of concerns
- Async processing for scalability
- Comprehensive logging and debugging support
- Extensible design ready for AI/ML integration
- Prevents production incidents by catching risky changes early
- Saves reviewer time with automated, detailed impact analysis
- Improves code quality through visibility and accountability
- Scales to teams of any size
- Designed for AI enhancement (NLP, LLM, ML)
- Multi-language support roadmap (Python, JavaScript, etc.)
- Enterprise-ready with security, performance, and reliability in mind
Built with β€οΈ for safer, smarter code reviews.
Impact-AI: Know the impact before you merge.


