Code quality, security & compliance
on every pull request

27 analyzers scan your code for security vulnerabilities, architecture violations, AI-generated patterns, and compliance gaps. Results appear directly in your PR.

Start Free See Features

Your code never leaves your GitHub runners. Zero third-party access.

27
Analyzers
881
Tests Passing
72
Languages Detected
<3s
Scan Time (Small Repos)

What PullGuard catches

Every pull request is scanned automatically. Findings include file, line number, severity, and remediation steps.

๐Ÿ”’

Security

  • Hardcoded secrets (AWS, GitHub, Stripe keys)
  • SQL injection & XSS (cross-file taint tracking)
  • Insecure crypto (MD5, weak IVs, missing salt)
  • Dependency CVEs (offline database, air-gapped)
  • Dependency freshness (predictive risk scoring)
๐Ÿ—๏ธ

Code Quality

  • Cyclomatic & cognitive complexity
  • Dead code & unused exports
  • Code duplication (Type 1-3 clones)
  • God files & deep nesting
  • Import cycles & architecture violations
๐Ÿค–

AI & Modern Dev

  • AI-generated code detection (5-signal scoring)
  • Breaking change detection (caller blast radius)
  • Knowledge silo risk (single-contributor files)
  • Test quality & flaky test indicators
  • Type coverage gaps
๐Ÿ“‹

Compliance

  • SOC 2 compliance reports (9 controls mapped)
  • PASS / CONCERN / FAIL per control
  • Compliance trend tracking over time
  • Risk register with remediation steps
  • Trajectory prediction to Grade A
๐Ÿ’ฐ

Cost Estimation

  • Dollar amounts per finding & category
  • Total tech debt cost ("$560K to remediate")
  • Hours to fix at configurable hourly rate
  • Top 5 most expensive findings ranked
  • CFO-ready reports for budget conversations
โš™๏ธ

Enterprise

  • Custom rules in YAML (enforce org policies)
  • API contract validation (OpenAPI drift)
  • SARIF output for GitHub Code Scanning
  • Baseline comparison (delta-only on PRs)
  • Air-gapped deployment support

What you'll see on every PR

This is a real PullGuard report. Every pull request gets this level of detail โ€” grade, risks, costs, remediation steps.

PullGuard Report

Grade B (31/100) ยท 624 findings ยท Est. fix cost: $560,256

Health Dashboard

CategoryGradeFindingsEst. Cost
๐Ÿ”’ SecurityA5$4,200
๐Ÿ—๏ธ ArchitectureC18$56,784
๐Ÿ“Š QualityB57$25,116
๐Ÿ“ฆ DependenciesA1$1,560
๐Ÿ“ NamingA28$2,205

Top Risks

SevFileIssueEst. Cost
๐Ÿ”ดbackend/src/drift-detector.tsGod file: 1894 lines, 17 functions$3,744
๐ŸŸ agents/agent_base.pyGod file: 847 lines, 52 functions$3,120
๐ŸŸ src โ†’ routes โ†’ authCircular dependency across 3 modules$2,496
๐ŸŸกconfig.ts:42Hardcoded API secret (entropy 4.2)$1,560
โ–ถ ๐Ÿ”’ Security Findings (5) โ€” hardcoded secrets, SQL injection, insecure crypto
โ–ถ ๐Ÿ’ฐ Cost Breakdown โ€” $560K total, architecture $56K, quality $25K
โ–ถ ๐Ÿ› ๏ธ Quick Wins (12) โ€” trivial-effort fixes you can ship today
โ–ถ ๐Ÿ“‹ SOC 2 Compliance โ€” 7 PASS, 1 CONCERN, 1 FAIL

Before vs. After

Without PullGuard

โœ“ All checks passed
No code quality, security, or compliance info
  • "We found the SQL injection 3 months after deploy"
  • "The AWS key was in the repo for 6 weeks"
  • "Nobody knew the tech debt was $560K until the audit"

With PullGuard

Grade B ยท 5 security issues ยท $560K tech debt
๐Ÿ”ด 2 hardcoded secrets ยท ๐ŸŸ  1 SQL injection ยท โš ๏ธ 3 god files
  • "Caught the hardcoded secret before it reached main"
  • "Security team gets findings with file + line number"
  • "CFO saw the $560K number and approved the refactor budget"

Built for every team

PullGuard surfaces the right information for the right people.

๐Ÿ”’ For Security Teams

Every hardcoded secret, SQL injection, and CVE โ€” with file and line number. Cross-file taint tracking traces user input to database queries across module boundaries. Remediation deadlines: 7 days for critical, 30 for major.

๐Ÿ’ผ For Engineering Managers

Dollar amounts on tech debt. "$560K to fix everything, or $3.7K to just fix the god file." Category health dashboard shows which areas need attention. Budget conversations backed by real data, not estimates.

๐Ÿ“‹ For Compliance & Audit

SOC 2 control mapping with PASS/CONCERN/FAIL per control. Automated evidence generation for auditor review. Risk register with remediation deadlines. Compliance trend tracking shows trajectory to Grade A.

๐Ÿ‘ฉโ€๐Ÿ’ป For Developers

Exact fixes with code examples. Not just "fix this" but "here's how." Quick wins highlighted: 12 trivial-effort fixes you can ship today. AI-generated code detection catches vibe-coded patterns that skip error handling.

How it works

1

Add the workflow

Drop a single YAML file into your repo's .github/workflows/ directory.

2

Open a PR

PullGuard scans automatically on every pull request. Results appear in the Actions step summary.

3

Ship with confidence

Grade, score, findings, cost estimate, and compliance status โ€” all before merge.

๐Ÿ”’ Your code never leaves your GitHub runners. The scan engine runs as a container in your CI. Zero third-party access to your repos.

Simple pricing

Per repo, not per seat. No surprises.

Free

$0
forever
  • โœ“ 12 core analyzers
  • โœ“ Unlimited public repos
  • โœ“ 1 private repo
  • โœ“ Grade, score, findings
  • โœ— Security & taint analysis
  • โœ— Cost estimation
  • โœ— SOC 2 compliance
Get Started

Pro

$29/mo
per repo
  • โœ“ All 27 analyzers
  • โœ“ Unlimited repos
  • โœ“ Security & taint analysis
  • โœ“ AI-generated code detection
  • โœ“ Cost-of-change estimation
  • โœ“ SARIF for Code Scanning
  • โœ“ Dependency CVE database
Start Pro

Enterprise

$99/mo
per repo
  • โœ“ Everything in Pro
  • โœ“ SOC 2 compliance reports
  • โœ“ Custom rules (YAML policies)
  • โœ“ Knowledge silo detection
  • โœ“ Compliance trend tracking
  • โœ“ Breaking change detection
  • โœ“ Priority support
Start Enterprise

Volume discount: 10+ repos $79/mo, 50+ repos $59/mo

Get started in 5 minutes

Add one workflow file to your repo. That's it.

# .github/workflows/pullguard.yml
name: PullGuard
on: [pull_request]
permissions:
  contents: read
  pull-requests: write
  checks: write
jobs:
  scan:
    runs-on: ubuntu-latest
    container:
      image: ghcr.io/bazza1love/pullguard:latest
      credentials:
        username: ${{ github.actor }}
        password: ${{ secrets.PULLGUARD_TOKEN }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - run: node /app/entrypoint.js
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PULLGUARD_LICENSE_KEY: ${{ secrets.PULLGUARD_LICENSE_KEY }}
          PULLGUARD_FAIL_SEVERITY: "critical"
          PULLGUARD_HOURLY_RATE: "150"

Step 1: Create a GitHub PAT with read:packages scope. Set it as PULLGUARD_TOKEN in your repo secrets.

Step 2: Set your license key as PULLGUARD_LICENSE_KEY in repo secrets. Request a key or start with the free tier (no key needed).

Step 3: Open a pull request. PullGuard scans it automatically.