32 analyzers scan your code for security vulnerabilities, architecture violations, AI-era threats (prompt injection, vibe-coded patterns), supply-chain risks (GitHub Actions, Dockerfiles, git history), and compliance gaps. Results appear directly in your PR.
Trusted by engineering leaders replacing Semgrep + SonarQube + Snyk + StepSecurity + GitGuardian with one GitHub-native tool. SOC 2 security evidence on every PR. Scales from solo developers to 300-repo multinationals.
Your code never leaves your GitHub runners. Zero third-party access.
PullGuard runs as a Docker container on your own GitHub Actions runners. Scans execute entirely on your infrastructure. Only license validation and finding metadata cross the network β your source code is never transmitted, never stored, never seen by PullGuard servers. Data-residency and air-gapped-friendly by design.
1,456 automated tests back every claim on this page. Each analyzer has unit + integration coverage; every site capability maps to a runnable test in CI. We cannot ship a release that contradicts our marketing β CI will reject it. Review the full feature matrix against your procurement checklist without hand-waving.
β Every capability claim on this page is backed by a runnable test. Verify any of it in CI β not marketing copy, auditable code.
Every pull request is scanned automatically. Findings include file, line number, severity, and remediation steps.
This is a real PullGuard report. Every pull request gets this level of detail β grade, risks, costs, remediation steps.
Grade B (31/100) Β· 624 findings Β· Est. fix cost: $560,256
Health Dashboard
| Category | Grade | Findings | Est. Cost |
|---|---|---|---|
| π Security | A | 5 | $4,200 |
| ποΈ Architecture | C | 18 | $56,784 |
| π Quality | B | 57 | $25,116 |
| π¦ Dependencies | A | 1 | $1,560 |
| π Naming | A | 28 | $2,205 |
Top Risks
| Sev | File | Issue | Est. Cost |
|---|---|---|---|
| π΄ | backend/src/drift-detector.ts | Monolithic file: 1894 lines, 17 functions | $3,744 |
| π | agents/agent_base.py | Monolithic file: 847 lines, 52 functions | $3,120 |
| π | src β routes β auth | Circular dependency across 3 modules | $2,496 |
| π‘ | config.ts:42 | Hardcoded API secret (entropy 4.2) | $1,560 |
Most teams need Semgrep for SAST + SonarQube for quality + Snyk for CVEs. PullGuard combines all three.
β Verified parity against 8 competitor categories (73 fixtures) β 100% OWASP parity with Semgrep Pro (18/18)
| Capability | PullGuard | Semgrep | SonarQube | Snyk |
|---|---|---|---|---|
| OWASP Top 10 detection | 15 checks | Pro ($) | Enterprise ($) | Yes |
| Inter-procedural taint | N-hop BFS | Pro ($) | Enterprise ($) | Yes |
| Code quality analysis | 13 analyzers | No | Core | No |
| Dependency CVE scanning | 6 ecosystems | No | No | Core |
| Cost estimation | $/finding | No | No | No |
| SOC 2 security evidence | 4 controls | No | Enterprise ($) | No |
| AI code detection | 5-signal | No | No | No |
| Self-hosted / air-gapped | Docker (static key required) | Yes | Yes | Cloud only |
PullGuard surfaces the right information for the right stakeholders β so procurement, security review, and rollout happen in parallel, not in sequence.
100% OWASP Top 10 parity with Semgrep Pro. Cross-file N-hop taint tracking across 7 languages. Pwn-request, script injection, and token over-permissions detection β top CI/CD supply-chain vectors. Dependency CVE scanning across 5 ecosystems, offline-capable. Replaces Semgrep + Snyk + StepSecurity + GitGuardian with one tool, one install, one invoice.
Dollar amounts on tech debt ("$560K to fix everything"). Grade trends over time with ETA-to-Grade-A predictions. Knowledge-silo risk flags single-contributor files. Breaking-change detection with caller blast-radius. AI-generated code detection catches vibe-coded patterns. Budget conversations backed by per-finding estimates β not vibes.
SOC 2 security evidence mapped to defensible controls (CC3.1, CC3.2, CC6.1, CC6.8). PASS / CONCERN / FAIL per control on every PR β continuous Type II-ready evidence. Per-PR posture delta: "CC3.2 CONCERNβPASS β ". Risk register with 7-day-critical / 30-day-major SLA fields. MSA-ready enterprise contracts with reverse-engineering prohibition + DPA.
Add uses: pullguard-dev/pullguard-action@v1 to your workflow. Free tier, no key needed.
PullGuard scans automatically on every pull request. Results appear in the Actions step summary.
Grade, score, findings, cost estimate, and compliance status β all before merge.
Below is the actual Step Summary PullGuard renders in GitHub Actions on every PR. This is a Team-tier scan showing all 32 analyzers running on a well-maintained codebase. The same layout appears for any repo β green when you're clean, with drill-down details when you're not.
| Category | Grade | Findings | Change |
|---|---|---|---|
| Security (15 OWASP checks) | A | 0 | β |
| Supply Chain (Actions + Dockerfile + git history) | A | 0 | β |
| Dependencies (5 CVE ecosystems) | A | 0 | β |
| Code Quality | A | 0 | β |
| Architecture | A | 0 | β |
| Testing | A | 0 | β |
| Compliance (SOC 2) | A | 0 | β |
| AI Code Detection | A | 0 | β |
| Git History | A | 0 | β |
| Type Coverage | A | 0 | β |
| Severity | Count | Est. Fix Cost |
|---|---|---|
| Critical | 0 | $0 |
| Major | 0 | $0 |
| Moderate | 0 | $0 |
| Total | 0 | $0 |
| Control | Status | Evidence |
|---|---|---|
| CC3.1 (Risk Assessment) | β PASS | No unmitigated security findings |
| CC3.2 (Fraud Risk) | β PASS | No hardcoded credentials or historical secrets |
| CC6.1 (Logical Access) | β PASS | No authentication or authorization weaknesses |
| CC6.8 (Unauthorized Software Prevention) | β PASS | All dependencies current, no unpinned GHA, no risky Dockerfile patterns |
This is the same Step Summary you'll see in your GitHub Actions tab on every PR. Enterprise evaluators: this output renders identically for you during your security-review period β the report shape is a contract, not a teaser.
Self-serve for small teams. Enterprise conversations for larger orgs.
Solo developers & single projects.
Startups & mid-sized engineering teams.
Custom contract available: DPA, MSA with reverse-engineering prohibition + audit rights, customer-managed deployment, bespoke rule sets, dedicated CSM, quarterly vendor-risk review.
Book a 30-min call300+ repos, 100+ developers, regulated industries.
Need more than Team's 10 repos or 20 contributors? Enterprise includes unlimited, dedicated support, and a signed contract. Ask about competitor migration (Semgrep / SonarQube / Snyk) with preserved rulesets.
No account, no email, no credit card. Add one file to your repo.
name: PullGuard on: [pull_request] permissions: contents: read pull-requests: write jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - uses: pullguard-dev/pullguard-action@v1 # Free: 14 analyzers. Add license-key for Pro (31) or Team/Enterprise (all 32 + SOC 2 + custom rules)
Add the workflow file above to your repo. That's the entire setup.
PullGuard scans automatically. Grade, findings, and cost estimate appear in Actions.
Add a license key secret to unlock all 32 analyzers, taint tracking, supply-chain + IaC checks, and SOC 2 evidence.
Free tier β no account required. Pro/Enterprise: hello@pullguard.dev