Code Review

CODEOWNERS

A configuration file that defines which developers or teams are automatically requested as reviewers when specific files or paths are modified.

What Is a CODEOWNERS File?

A CODEOWNERS file is a plain-text configuration file that maps file paths and patterns to the developers or teams responsible for reviewing changes to those files. When a pull request or merge request modifies files that match a pattern in the CODEOWNERS file, the hosting platform — GitHub, GitLab, or Bitbucket — automatically requests a review from the corresponding owners.

The CODEOWNERS file lives inside the repository itself, which means ownership rules are versioned alongside the code they govern. This is a deliberate design choice: as the codebase evolves, ownership definitions evolve with it. A new directory added in one commit can have its owner assigned in the same commit, keeping the CODEOWNERS file in sync with the project’s actual structure.

Each major Git hosting platform supports CODEOWNERS with slight variations in syntax, file location, and enforcement behavior. The core concept is the same across all three — pattern-based mapping of paths to reviewers — but the details differ enough that teams migrating between platforms need to be aware of the distinctions.

How It Works

A CODEOWNERS file consists of lines that pair a file pattern with one or more owners. The syntax is similar to .gitignore, using glob patterns to match paths. Comments start with #, and blank lines are ignored.

GitHub CODEOWNERS

On GitHub, the CODEOWNERS file can be placed in the repository root, the .github/ directory, or the docs/ directory. GitHub uses a last-match-wins rule: if a file matches multiple patterns, the last matching pattern determines the owner.

# .github/CODEOWNERS

# Default owners for everything
*                           @org/engineering

# Frontend team
src/components/**           @org/frontend
src/hooks/**                @org/frontend
src/styles/**               @org/frontend

# Backend team
src/api/**                  @org/backend
src/services/**             @org/backend

# Database changes require DBA review
migrations/                 @org/dba-team
prisma/schema.prisma        @org/dba-team

# Security-sensitive paths
src/auth/**                 @org/security
src/crypto/**               @org/security

# CI/CD and infrastructure
.github/workflows/**        @org/devops
terraform/**                @org/devops
Dockerfile                  @org/devops

# Documentation
docs/**                     @org/docs-team
*.md                        @org/docs-team

GitLab CODEOWNERS

GitLab supports the CODEOWNERS file in the repository root, the .gitlab/ directory, or the docs/ directory. GitLab extends the syntax with section headers that allow optional versus required approval groups:

# .gitlab/CODEOWNERS

# Required section — at least one approval from each group needed
[Backend]
src/api/**                  @backend-team
src/services/**             @backend-team

[Frontend]
src/components/**           @frontend-team
src/views/**                @frontend-team

# Optional section — reviewers are suggested but not required
^[Documentation]
docs/**                     @docs-team
README.md                   @docs-team

[Security]
src/auth/**                 @security-team
src/middleware/auth.*        @security-team

[DevOps]
.gitlab-ci.yml              @devops-team
deploy/**                   @devops-team

The ^ prefix before a section name in GitLab makes that section optional — reviewers are requested but their approval is not required to merge.

Bitbucket CODEOWNERS

Bitbucket Cloud does not natively support a CODEOWNERS file, but Bitbucket Data Center and several marketplace apps provide equivalent functionality. Teams using Bitbucket Cloud typically achieve similar behavior through workspace-level default reviewers or third-party apps. For Bitbucket Data Center, the syntax is:

# CODEOWNERS (Bitbucket Data Center with Code Owners plugin)

# Pattern              Owners
src/api/**             @backend-team
src/frontend/**        @frontend-team
infrastructure/**      @devops-team

Pattern Matching Rules

Across all platforms, patterns follow consistent rules with minor variations:

  • * matches everything (used as the default fallback).
  • *.js matches all JavaScript files in every directory.
  • src/api/ matches everything inside the src/api directory.
  • docs/*.md matches Markdown files directly inside docs/ but not in subdirectories.
  • docs/**/*.md matches Markdown files at any depth within docs/.

The last-match-wins rule on GitHub means pattern ordering matters. Place broad patterns at the top and specific patterns at the bottom so that specific rules override general ones.

Why It Matters

The CODEOWNERS file transforms code review from an ad-hoc process into an automated, enforceable workflow. Without it, teams rely on developers to manually assign the right reviewers — a process that breaks down as teams grow. A developer new to the project may not know that the @security-team should review changes to the authentication module, but CODEOWNERS handles this routing automatically.

CODEOWNERS is also a critical component of compliance and governance strategies. In regulated environments, organizations must demonstrate that changes to security-critical or financial-reporting code were reviewed by qualified personnel. The CODEOWNERS file, combined with branch protection rules, provides auditable evidence that the right reviewers signed off on every change.

For large monorepos with dozens of teams, CODEOWNERS is the primary mechanism for partitioning review responsibility. Without it, every pull request would require manual triage to determine which team should review it, creating a coordination bottleneck that slows the entire organization.

Best Practices

  • Place the CODEOWNERS file in the platform’s conventional directory. Use .github/CODEOWNERS for GitHub and .gitlab/CODEOWNERS for GitLab. This keeps configuration files organized and makes the file easy to find.
  • Start with a broad default and refine with specific patterns. Begin the file with * @org/engineering to ensure every file has at least one owner, then add specific patterns for specialized areas like security, infrastructure, and database schemas.
  • Use team handles rather than individual usernames. Team-based ownership is resilient to personnel changes. When a developer leaves the organization, team handles continue to work without needing an update to the CODEOWNERS file.
  • Review the CODEOWNERS file periodically. As the codebase evolves, directories are added and removed. Schedule a quarterly review of the CODEOWNERS file to prune stale patterns and add coverage for new areas.
  • Test patterns before committing. A misconfigured pattern can silently fail to match any files, leaving parts of the codebase without designated owners. Use platform-specific tools or dry-run features to verify that patterns match the intended files.

Common Mistakes

  • Ordering patterns incorrectly on GitHub. Because GitHub uses last-match-wins, placing a specific pattern above a broad pattern causes the broad pattern to override it. Always put specific patterns at the bottom of the file.
  • Assigning owners to paths that no longer exist. Over time, directories get renamed or deleted, but the CODEOWNERS file is not updated. These stale entries do not cause errors — they simply stop matching any files, leaving those areas without review coverage. Audit the file regularly to catch these gaps.
  • Overloading a single team with too many patterns. If @platform-team is the owner of 80% of the codebase, every pull request requires their review, creating a bottleneck. Distribute ownership granularly so that each team owns only the paths they are genuinely expert in.

Related Terms

Code Owner Code Review Pull Request

Learn More

Tool Reviews

Related Articles

Free Newsletter

Stay ahead with AI dev tools

Weekly insights on AI code review, static analysis, and developer productivity. No spam, unsubscribe anytime.

Join developers getting weekly AI tool insights.