GitLab CODEOWNERS file – enforce code reviews, approvals, and accountability

The CODEOWNERS file in GitLab is a special file that lets you define who is responsible (owner) for specific files, directories, or patterns in your repository. It’s a powerful feature to enforce code reviews, approvals, and accountability—especially for sensitive or critical parts of your codebase.

✅ What Does the CODEOWNERS File Do?

When a file or directory covered by a CODEOWNERS rule is modified in a merge request:

1. GitLab automatically requests approval from the listed owners.
2. If you enforce approval rules, the MR cannot be merged without their review (when configured).

📄 Syntax of CODEOWNERS

Each line defines a path pattern followed by one or more GitLab usernames or groups.

# Syntax: <file pattern> <usernames or groups>
/README.md         @john
/docs/             @tech-writers
/secrets/*         @security-team @admin
*.yml              @devops
Code language: PHP (php)

📁 Where to Place CODEOWNERS

GitLab looks for the file in one of these locations (in order of priority):

1. .gitlab/CODEOWNERS
2. docs/CODEOWNERS
3. CODEOWNERS (root)

👉 Best practice: place it in .gitlab/CODEOWNERS.

🔐 How CODEOWNERS Works with Approval Rules

To enforce the rules:

1. Go to Project → Settings → General → Merge request approvals
2. Enable: “Require approval from Code Owners”
3. GitLab will now enforce at least one approval from any listed owner if their path is touched.

🧠 Example Use Case

# Enforce ownership on critical configs
/config/production.yml @devops-lead

# Only security team can approve secrets file
/secrets/* @security-team
Code language: PHP (php)

When someone opens an MR touching /config/production.yml, GitLab:

• Requests approval from @devops-lead
• Blocks merging if approval is required and not yet given

🔍 Pro Tips

• You can use groups like @my-org/security as owners.
• Owners must have at least Developer access to the repo.
• Use together with merge request approval rules for full control.

Rajesh Kumar

I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.

Do you want to learn Quantum Computing?

Please find my social handles as below;

Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND

Rajesh Kumar DailyLogs