Add PullGuard to a GitHub repository in under five minutes. Three install paths โ pick the one that matches your team size and procurement process.
43 analyzers grouped into six capability categories. Every category produces findings with severity, file:line location, remediation guidance, and (where relevant) a dollar-cost estimate. Free tier runs 14 of the 43; paid tiers unlock the rest.
SQL / XSS / SSRF / command / path injection, LLM prompt injection, deserialisation, CORS / CSP misconfigurations, missing CSRF, JWT confusion, cookie security, HTTP security headers, SSTI, unsafe reflection, file-upload validation, cryptographic hygiene, generic injection sinks. Tree-sitter AST parsing with N-hop cross-file taint tracking across seven languages (JS / TS, Python, Java, C#, Go, Rust, PHP).
Cyclomatic and cognitive complexity, Type-1โ3 clone detection, dead code and unused exports, monolithic-file detection (NCLOC-aligned โ heavily-documented code is not penalised), deep nesting, naming conventions, file naming, error-handling patterns, test patterns, API consistency.
Layer violations (e.g., domain code calling presentation), circular dependencies, transitive cycle detection across the full module graph, type-coverage gaps in TypeScript, OpenAPI contract drift between code and spec, module-system inconsistencies, knowledge-silo files (single-contributor risk).
Dependency CVEs across five ecosystems (npm, PyPI, Maven / Gradle, Go, RubyGems) using the OSV database โ works air-gapped against a local mirror. Dependency freshness scoring, breaking-change detection on shared interfaces, dangerous-files detection (tracked secrets, private keys, credentials), git-history secret scanning across the last 100 commits.
AI-generated code detection (5-signal scoring across multiple languages), per-PR cost-of-change estimation in dollars, breaking-change blast-radius analysis with caller counts, GitHub Actions workflow security (unpinned actions, pwn-request, script injection, token over-permissions), Dockerfile misconfigurations, Kubernetes IaC checks (CIS Level 1 baseline).
SOC 2 (8 controls โ CC3.1, CC3.2, CC4.1, CC6.1, CC6.2, CC6.7, CC6.8, CC8.2), HIPAA Technical Safeguards (45 CFR ยง164.312), PCI DSS 4.0, NIST 800-53 Rev 5, ISO 27001:2022. Each control is mapped to the analyzers that produce evidence; reports show PASS / CONCERN / FAIL per control with violation counts and AICPA / NIST citation text.
Three paths โ same scanner image, same workflow file, different license tier.
Every public and private GitHub repository can run the free tier without an account or license key. You get the 12 commodity SAST / quality checks plus the supply-chain "dangerous files" and "repo hygiene" analyzers.
1. Drop this workflow file at .github/workflows/pullguard.yml:
name: PullGuard
on:
pull_request:
branches: [main]
push:
branches: [main]
permissions:
contents: read
pull-requests: write
checks: write
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Required for git-history analyzers
- uses: pullguard-dev/pullguard-action@v12. Open a pull request.
PullGuard runs on every PR push, posts a comment with findings, writes a Step Summary to the Actions tab, and uploads the JSON / Markdown report as a workflow artifact.
Pro unlocks 42 of 43 analyzers for one private repository โ the full deep-analysis catalogue except enterprise custom rules. Team adds custom rules + 10 private repositories + 20 contributors. Both bind to your organisation/repo at first scan; re-binding requires a support email.
1. Buy at pullguard.dev/#pricing via Stripe checkout.
Pro is $29/month, Team is $99/month. Stripe handles billing, invoicing, and tax. Cancel from your Stripe customer portal.
2. Receive your pg_live_* license token by email (instant).
3. Add the token as a repository secret named PULLGUARD_LICENSE_KEY:
GitHub repo โ Settings โ Secrets and variables โ Actions โ New repository secret. Or for organisation-wide use: Settings โ Secrets at the org level.
4. Reference it in your workflow:
- uses: pullguard-dev/pullguard-action@v1
with:
license-key: ${{ secrets.PULLGUARD_LICENSE_KEY }}On the next PR scan, all 42/43 analyzers run, multi-framework compliance evidence appears, and the cost-estimation dollar amounts populate.
Enterprise adds the GitHub Marketplace pullguard-code-scanner
App (which provisions the workflow file automatically), native Check Run
annotations on the PR Files-changed view, SSO, audit-log export, a 4-hour
response SLA, and an annual contract with a master service agreement and
data-processing addendum.
1. Contact sales:
hello@pullguard.dev โ book a 30-minute call. We'll discuss repo count, contributor count, compliance frameworks in scope, and procurement requirements.
2. Install the GitHub App:
After contract signature, install pullguard-code-scanner on
your GitHub organisation. The App auto-opens a provisioning pull request
with the four-line workflow file ready to merge.
3. Enable native Check Run rendering:
- uses: pullguard-dev/pullguard-action@v1
with:
license-key: ${{ secrets.PULLGUARD_LICENSE_KEY }}
report-to-app: true
With report-to-app: true the PR-comment + Step-Summary surfaces
continue to work AND findings appear as native Check Run annotations on the
Files-changed view (line-level red flags, inline severity badges).
On the next pull request after install, four customer-visible surfaces light up:
A comment posted on the pull request showing grade, score, severity breakdown, top 10 actionable findings inline, expandable <details> sections for Cost Breakdown / Health Dashboard / SOC 2 Evidence / Security Findings / Quick Wins, and a footer link back to the workflow run for the full report.
The richer view: full Health Dashboard with per-category grade and cost, Top Risks table sorted by remediation cost, Security Findings callout, all 8 SOC 2 controls with PASS / CONCERN / FAIL, plus HIPAA / PCI / NIST / ISO 27001 evidence sections.
pullguard-report.json + pullguard-report.md
uploaded to the workflow run, retained 30 days, downloadable for
programmatic ingestion or audit archive.
With report-to-app: true findings appear as inline
annotations on the Files-changed view of the pull request โ clickable
red / orange / yellow flags with severity, file:line, and remediation
guidance. Same data the PR comment shows; native GitHub UX.
Two configuration surfaces. Both are optional โ PullGuard works out of the box.
with: block on pullguard-action@v1.
Set the failure threshold, your developer hourly rate, the path to scan,
point at a custom .driftrc.yml, etc.
.driftrc.yml โ a
per-repository configuration file. Override per-language complexity
thresholds, enable / disable individual analyzers, define enterprise
custom rules, configure the dependency-vulnerability database location,
set per-PR baseline files for delta-only scanning.
.pullguardignore โ a
suppression file for false positives. File-glob patterns and
rule:<rule-id> entries. Security-category analyzers
cannot be suppressed.
Full reference at Configuration โ.
The PullGuard scanner is a Docker image (ghcr.io/pullguard-dev/pullguard:latest)
that runs as a container on your own GitHub Actions runners. Source code is
analyzed locally; only license validation (Stripe-issued pg_live_* tokens)
and dependency-vulnerability lookups (OSV API) make outbound network
calls. Air-gapped mode disables all external calls using a local
vulnerability database โ see
Configuration โ Air-gapped mode.