Code quality, security & compliance
on every pull request

27 analyzers scan your code for security vulnerabilities, architecture violations, AI-generated patterns, custom taint rules, and compliance gaps. Results appear directly in your PR.

Start Free See Features

Your code never leaves your GitHub runners. Zero third-party access.

27
Analyzers
930
Tests Passing
7
Languages with Taint Tracking
6
CVE Ecosystems
72+
Languages Detected

What PullGuard catches

Every pull request is scanned automatically. Findings include file, line number, severity, and remediation steps.

๐Ÿ”’

Security (15 OWASP Checks)

  • SQL injection, XSS, SSRF, command injection, path traversal
  • N-hop taint tracking across 7 languages (JS, Python, Java, C#, Go, Rust, PHP)
  • Java deserialization (ObjectInputStream, XMLDecoder, XStream, Kryo)
  • XXE, CORS misconfiguration, CSP misconfiguration
  • NoSQL injection (MongoDB/Mongoose find, findOne, updateMany, aggregate)
  • Custom taint sources & sinks via YAML config
  • Hardcoded secrets + Shannon entropy analysis
  • Dependency CVEs across 6 ecosystems (npm, PyPI, Maven/Gradle, Go, Ruby)
๐Ÿ—๏ธ

Code Quality

  • Cyclomatic & cognitive complexity
  • Dead code & unused exports
  • Code duplication (Type 1-3 clones)
  • God files & deep nesting
  • Import cycles & architecture violations
๐Ÿค–

AI & Modern Dev

  • AI-generated code detection (5-signal scoring)
  • Breaking change detection (caller blast radius)
  • Knowledge silo risk (single-contributor files)
  • Test quality & flaky test indicators
  • Type coverage gaps
๐Ÿ“‹

Compliance

  • SOC 2 compliance reports (9 controls mapped)
  • PASS / CONCERN / FAIL per control
  • Compliance trend tracking over time
  • Risk register with remediation steps
  • Trajectory prediction to Grade A
๐Ÿ’ฐ

Cost Estimation

  • Dollar amounts per finding & category
  • Total tech debt cost ("$560K to remediate")
  • Hours to fix at configurable hourly rate
  • Top 5 most expensive findings ranked
  • CFO-ready reports for budget conversations
โš™๏ธ

Enterprise

  • Custom rules in YAML (enforce org policies)
  • Custom taint rules โ€” define framework-specific sources, sinks, and sanitizers in YAML
  • API contract validation (OpenAPI drift)
  • SARIF output for GitHub Code Scanning
  • Baseline comparison (delta-only on PRs)
  • Air-gapped deployment support

What you'll see on every PR

This is a real PullGuard report. Every pull request gets this level of detail โ€” grade, risks, costs, remediation steps.

PullGuard Report

Grade B (31/100) ยท 624 findings ยท Est. fix cost: $560,256

Health Dashboard

CategoryGradeFindingsEst. Cost
๐Ÿ”’ SecurityA5$4,200
๐Ÿ—๏ธ ArchitectureC18$56,784
๐Ÿ“Š QualityB57$25,116
๐Ÿ“ฆ DependenciesA1$1,560
๐Ÿ“ NamingA28$2,205

Top Risks

SevFileIssueEst. Cost
๐Ÿ”ดbackend/src/drift-detector.tsGod file: 1894 lines, 17 functions$3,744
๐ŸŸ agents/agent_base.pyGod file: 847 lines, 52 functions$3,120
๐ŸŸ src โ†’ routes โ†’ authCircular dependency across 3 modules$2,496
๐ŸŸกconfig.ts:42Hardcoded API secret (entropy 4.2)$1,560
โ–ถ ๐Ÿ”’ Security Findings (5) โ€” hardcoded secrets, SQL injection, insecure crypto
โ–ถ ๐Ÿ’ฐ Cost Breakdown โ€” $560K total, architecture $56K, quality $25K
โ–ถ ๐Ÿ› ๏ธ Quick Wins (12) โ€” trivial-effort fixes you can ship today
โ–ถ ๐Ÿ“‹ SOC 2 Compliance โ€” 7 PASS, 1 CONCERN, 1 FAIL

Before vs. After

Without PullGuard

โœ“ All checks passed
No code quality, security, or compliance info
  • "We found the SQL injection 3 months after deploy"
  • "The AWS key was in the repo for 6 weeks"
  • "Nobody knew the tech debt was $560K until the audit"

With PullGuard

Grade B ยท 5 security issues ยท $560K tech debt
๐Ÿ”ด 2 hardcoded secrets ยท ๐ŸŸ  1 SQL injection ยท โš ๏ธ 3 god files
  • "Caught the hardcoded secret before it reached main"
  • "Security team gets findings with file + line number"
  • "CFO saw the $560K number and approved the refactor budget"
๐Ÿข

Proven on enterprise Java codebases

PullGuard identified a reflected XSS vulnerability in a Fortune 500 client's codebase before their manual penetration test found it. The pen test had 10 findings โ€” PullGuard caught the 2 that are detectable via static analysis, with zero false positives.

2/2
Real findings caught
0
False positives
8/10
Pen test findings = runtime issues (not SAST-detectable)

One tool replaces three

Most teams need Semgrep for SAST + SonarQube for quality + Snyk for CVEs. PullGuard combines all three.

Capability PullGuard Semgrep SonarQube Snyk
OWASP Top 10 detection15 checksPro ($)Enterprise ($)Yes
Inter-procedural taintN-hop BFSPro ($)Enterprise ($)Yes
Code quality analysis13 analyzersNoCoreNo
Dependency CVE scanning6 ecosystemsNoNoCore
Cost estimation$/findingNoNoNo
SOC 2 compliance9 controlsNoEnterprise ($)No
AI code detection5-signalNoNoNo
Self-hosted / air-gappedDockerYesYesCloud only

Built for every team

PullGuard surfaces the right information for the right people.

๐Ÿ”’ For Security Teams

Every hardcoded secret, SQL injection, and CVE โ€” with file and line number. Cross-file taint tracking traces user input to database queries across module boundaries. Remediation deadlines: 7 days for critical, 30 for major.

๐Ÿ’ผ For Engineering Managers

Dollar amounts on tech debt. "$560K to fix everything, or $3.7K to just fix the god file." Category health dashboard shows which areas need attention. Budget conversations backed by real data, not estimates.

๐Ÿ“‹ For Compliance & Audit

SOC 2 control mapping with PASS/CONCERN/FAIL per control. Automated evidence generation for auditor review. Risk register with remediation deadlines. Compliance trend tracking shows trajectory to Grade A.

๐Ÿ‘ฉโ€๐Ÿ’ป For Developers

Exact fixes with code examples. Not just "fix this" but "here's how." Quick wins highlighted: 12 trivial-effort fixes you can ship today. AI-generated code detection catches vibe-coded patterns that skip error handling.

How it works

1

Add one line

Add uses: bazza1love/pullguard-action@v1 to your workflow. Free tier, no key needed.

2

Open a PR

PullGuard scans automatically on every pull request. Results appear in the Actions step summary.

3

Ship with confidence

Grade, score, findings, cost estimate, and compliance status โ€” all before merge.

๐Ÿ”’ Code never leaves your runners
๐Ÿ“‹ SOC 2 mapped (9 controls)
๐ŸŒ Air-gapped deployment support
๐Ÿ“„ BSL 1.1 licensed (Apache 2.0 in 2030)

Simple pricing

Per repo, not per seat. No surprises.

Free

$0
forever
  • โœ“ 12 core analyzers
  • โœ“ Unlimited public repos
  • โœ“ 1 private repo
  • โœ“ Grade, score, findings
  • โœ— Security & taint analysis
  • โœ— Cost estimation
  • โœ— SOC 2 compliance
Get Started Free

Pro

$29/mo
per repo
  • โœ“ All 27 analyzers
  • โœ“ Unlimited repos
  • โœ“ Security & taint analysis
  • โœ“ AI-generated code detection
  • โœ“ Cost-of-change estimation
  • โœ“ SARIF for Code Scanning
  • โœ“ Dependency CVE database
Contact for Pro

Enterprise

$99/mo
per repo
  • โœ“ Everything in Pro
  • โœ“ SOC 2 compliance reports
  • โœ“ Custom rules (YAML policies)
  • โœ“ Knowledge silo detection
  • โœ“ Compliance trend tracking
  • โœ“ Breaking change detection
  • โœ“ Priority support
Contact for Enterprise

Volume discount: 10+ repos $79/mo, 50+ repos $59/mo

Get started in 60 seconds

No account, no email, no credit card. Add one file to your repo.

# .github/workflows/pullguard.yml
name: PullGuard
on: [pull_request]
permissions:
  contents: read
  pull-requests: write
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: bazza1love/pullguard-action@v1
        # Free: 12 analyzers. Add license-key for Pro (27) or Enterprise (27 + SOC 2)
1

Copy the YAML

Add the workflow file above to your repo. That's the entire setup.

2

Open a PR

PullGuard scans automatically. Grade, findings, and cost estimate appear in Actions.

3

Upgrade when ready

Add a license key secret to unlock all 27 analyzers, taint tracking, and SOC 2 compliance.

View on GitHub Marketplace

Free tier โ€” no account required. Pro/Enterprise: hello@pullguard.dev