The provenance problem in your git history
You’ve been using Cursor, your lead dev is hooked on Claude Code, and that one contractor is definitely shipping Copilot-heavy PRs. By the end of the quarter, your repository is a black box of mixed provenance. When your legal team or an enterprise client asks exactly how much of your IP was generated by an LLM, you’re stuck manually grepping commit messages or, worse, guessing. The "vibe check" approach to AI governance is dead; you need a paper trail that doesn't rely on developer honesty.
Most teams ignore this until a compliance audit or a due diligence phase hits. By then, the metadata is buried. ai attestation Track AI generated code in your repository attempts to fix this by turning your git history into a machine-readable audit log. It’s not about blocking AI; it’s about acknowledging it so you don't get blindsided by licensing or quality questions down the road.
What is this tool and who built it?
Built by the team at Korext, this is an open-standard CLI tool designed to bring transparency to AI-assisted development. It’s less of a "security scanner" and more of a "provenance tracker" for your engineering manager's peace of mind.
ai attestation Track AI generated code in your repository is a developer tool and open standard that scans git history to detect and track AI-generated code — producing a standardized YAML file for enterprise compliance and transparency.
Unlike heavy-handed enterprise suites that require deep integration, this tool stays local. It looks for the "fingerprints" left by 19+ different AI coding tools, from mainstream giants like GitHub Copilot to niche CLI agents like Aider and OpenHands. It’s designed for teams that need to prove they are following an internal AI policy without slowing down the actual coding process.
Hands-on experience: Does it actually catch everything?
The "zero-config" workflow
When you run the tool for the first time, the experience is refreshingly fast. You don't have to point it at specific files or tell it which tools you use. Because it only reads git metadata—commit messages, author emails, and specific tool-injected headers—it finishes scanning a massive repo in seconds. You aren't waiting for a heavy AST parser to chew through your TypeScript; you're just getting a summary of the trail your AI tools already left behind.
The YAML attestation file
The core output is the .ai-attestation.yaml file. This is the smartest part of the tool. It doesn't just say "AI was here." It breaks down usage by tool (e.g., 40% Copilot, 10% Windsurf) and includes a governance section. In my testing, the file stayed remarkably clean even after hundreds of commits. It’s small enough to live in your root directory without being an eyesore, and because it’s a standard, you could theoretically build your own internal dashboard on top of it using basic YAML parsing.
Where the detection falls short
You need to understand what this tool is not: it is not a "plagiarism detector" or a code-fingerprinting engine. If a developer copies code from ChatGPT in a browser and pastes it into a file without using an IDE extension that leaves a signature, ai attestation Track AI generated code in your repository will miss it. It relies on the "Co-authored-by" tags or specific comments like // @cursor-generated. If your team is actively trying to hide their AI usage by scrubbing these tags, this tool won't catch them. It is a tool for honest teams who want better record-keeping, not a police officer for dishonest ones.
Pro Tip: Pair this with a pre-commit hook that prevents developers from stripping AI signatures if you want the data to remain accurate over long-term projects.
CI/CD enforcement with GitHub Actions
The real value appears when you drop the provided Action into your CI pipeline. You can set "governance scores" that fail a build if the AI-generated percentage climbs too high without a corresponding manual review. This is where you move from "passive tracking" to "active policy enforcement." It’s a blunt instrument, but for managing technical debt in 2026, it’s one of the few ways to keep the "AI-slop" from taking over your codebase.
Getting started in under 2 minutes
To start using ai attestation Track AI generated code in your repository, you don't even need to install it globally. Use the NPX command to test the waters first.
- Initialize the repo: Run
npx @korext/ai-attestation initin your terminal. This scans your history and generates the initial YAML file. - Review the signatures: Open the
.ai-attestation.yamlfile. Check if it correctly identified your tools. If you use a custom internal agent, you might need to add it to the config. - Automate the updates: The
initcommand offers to install a post-commit hook. Say yes. This ensures the YAML file updates every time you commit, so you never have to run the scan manually again. - Enforce in CI: Copy the official GitHub Action block into your
.github/workflows/main.yml. Set yourcritical_scoreto 70 to start receiving warnings when AI usage spikes.
Pricing breakdown: What will it cost you?
As of this ai attestation Track AI generated code in your repository review, the tool is entirely open-source and free to use under the Apache 2.0 license. There are no "pro" tiers or hidden seat costs for the CLI or the GitHub Action.
- CLI Tool: Free (Apache 2.0).
- Standard/Schema: Free (CC0 Public Domain).
- GitHub Action: Free.
- Enterprise Support: Pricing not publicly listed — visit the official repository for current plans or to contact the Korext team for custom governance engine integrations.
Because it runs locally and doesn't use a cloud backend to process your code, you aren't paying for compute or "tokens." You are essentially getting an enterprise-grade compliance tool for the cost of zero dollars, provided you are willing to manage the YAML file yourself.
Strengths vs. Limitations
| Strengths | Limitations |
|---|---|
| Privacy-first architecture; no code leaves your machine. | Cannot detect manual copy-pasting from web browsers. |
| Out-of-the-box support for 19+ popular AI coding agents. | Relies on metadata that can be intentionally scrubbed. |
| Lightweight YAML output is perfect for CI/CD automation. | Does not perform deep semantic or "plagiarism" analysis. |
| Completely free and open-source (Apache 2.0). | Requires developer discipline to maintain high accuracy. |
Competitive Analysis
The market for AI governance is split between heavy security scanners and lightweight trackers. While enterprise giants focus on "is this code safe," this tool focuses on "where did this code come from." It occupies a unique space as a vendor-neutral standard rather than a proprietary lock-in feature.
| Feature | ai attestation (Korext) | GitHub Copilot Governance | Snyk AI Code |
|---|---|---|---|
| Detection Method | Git Metadata/Signatures | Internal Telemetry | Semantic Analysis |
| Multi-Tool Support | Yes (19+ tools) | No (Copilot only) | Partial |
| Privacy | Local-only | Cloud-based | Cloud-based |
| Open Standard | Yes (YAML/CC0) | No | No |
| Cost | Free | Enterprise Seat Required | Usage-based pricing |
Pick ai attestation if you use a mix of tools like Cursor, Claude, and Aider and need a unified, vendor-agnostic audit trail. Pick GitHub if your organization is 100% committed to the Microsoft ecosystem and doesn't allow external CLI tools. Pick Snyk if your primary concern is the security vulnerabilities within the AI code rather than its provenance.
FAQ
Does this tool send my source code to a third-party server? No, the tool runs entirely locally on your machine or CI runner and only analyzes git metadata.
Can it detect code written by custom internal LLMs? Yes, as long as your internal tools are configured to append standard "Co-authored-by" or metadata tags to commits.
Is there a performance hit for large repositories? No, because it scans git history and specific headers rather than parsing the entire AST, it remains fast even on massive codebases.
Verdict with Rating: 4.3/5 Stars
ai attestation Track AI generated code in your repository is the most pragmatic tool for engineering managers who need transparency without friction. It won't stop a malicious developer from "laundering" AI code through a manual copy-paste, but for honest teams, it provides the paper trail required for modern compliance. It is a must-have for open-source maintainers and enterprise teams in regulated industries. If you need a tool to "catch" people cheating, look for a semantic analyzer; if you need a tool to "document" your progress, this is the gold standard. Wait for future updates only if you require deep-fingerprinting of untagged code.
Try ai attestation Track AI generated code in your repository Yourself
The best way to evaluate any tool is to use it. ai attestation Track AI generated code in your repository is free and open source — no credit card required.
Get Started with ai attestation Track AI generated code in your repository →