Enforcing checks

This feature is only available on the Enterprise plan.

Preventing unintended breaking or other unsafe changes in production is crucial for API and data producers, but often complex to implement across multiple teams. The BSR allows you to apply checks across your entire instance, enforcing consistent policies for all Protobuf files in your organization. And because these changes are sometimes necessary, it also provides module owners the ability to review these changes before they enter the BSR and then approve or deny them. This allows for nuance in cases where exceptions can be made.

Buf's checks:

• Block breaking changes from reaching consumers: The BSR by default blocks all schema updates that fail any checks. You can optionally configure it to put commits with breaking changes into review, allowing them to be approved before they're released to consumers.

• Ensure that breaking changes are reviewed by the right team members: Module owners are notified of breaking changes that are put into review via inbox and email, and can approve or reject the breaking commits via the review flow. All review states and decisions are visible in the BSR, providing a history of schema evolution over time.

• Work regardless of project configuration: The server-wide check supersedes any settings in buf.yaml files or CI, and works even if they aren't present, so enterprises can rely on stable Protobuf contracts.

Supported checks

The BSR supports the following checks:

• Breaking change prevention: Prevents breaking changes from being pushed to the BSR.
• Uniqueness: Prevents duplicate Protobuf file paths and type names across modules in the BSR instance.
• CSR compatibility: Prevents incompatible changes to Subjects in the Confluent Schema Registry.

Review flow

The BSR by default blocks all schema updates that fail any checks. You can optionally configure it to put commits that fail checks into review, allowing them to be approved before they're released to consumers.

See Reviewing commits for instructions about how to enable and disable the review flow and how to approve or deny pending commits.

Effects on downstream consumers

Any commits pushed after a commit that's pending are also marked as pending, unless those new commits do not fail any checks. If they do not fail any checks, the pending commits are automatically rejected and the new commits are available to downstream consumers.

On the default label, pending commits are unavailable to downstream consumers, and rejected commits are always unavailable as follows:

• They're not available to install from any generated SDK registry, unless specifically requested by commit.
  • The "latest" version of a generated SDK is kept at the latest approved or non-reviewed commit on the default label.
• They're not available to use in Buf Studio.
• They're excluded from the Reflection API.
• They don't update schemas in the Confluent Schema Registry.