πŸ› οΈ Maintenance in progress β€” new subscriptions paused briefly while we upgrade infrastructure. Existing customers are unaffected. Back online within the hour. Questions? hello@pullguard.dev

Code quality, security & compliance
on every pull request

32 analyzers scan your code for security vulnerabilities, architecture violations, AI-era threats (prompt injection, vibe-coded patterns), supply-chain risks (GitHub Actions, Dockerfiles, git history), and compliance gaps. Results appear directly in your PR.

Start Free See Features

Your code never leaves your GitHub runners. Zero third-party access.

32
Analyzers
1,355
Tests Passing
7
Languages with Taint Tracking
5
CVE Ecosystems
72+
Languages Detected

βœ“ Every capability claim on this page is backed by a runnable test. Verify any of it in CI β€” not marketing copy, auditable code.

What PullGuard catches

Every pull request is scanned automatically. Findings include file, line number, severity, and remediation steps.

πŸ”’

Security (15 OWASP Checks)

  • LLM prompt injection β€” first-mover AI-SAST, taint-tracked (user input β†’ LLM sink)
  • SQL injection, XSS, SSRF, command injection, path traversal
  • Tree-sitter AST parsing (not regex) with N-hop taint tracking across 7 languages (JS, Python, Java, C#, Go, Rust, PHP)
  • Java deserialization (ObjectInputStream, XMLDecoder, XStream, Kryo)
  • XXE, CORS misconfiguration, CSP misconfiguration
  • NoSQL injection (MongoDB/Mongoose find, findOne, updateMany, aggregate)
  • Custom taint sources & sinks via YAML config
  • Hardcoded secrets + Shannon entropy analysis
  • Dependency CVEs across 5 ecosystems (npm, PyPI, Maven, Go, RubyGems)
πŸ—οΈ

Code Quality

  • Cyclomatic & cognitive complexity
  • Dead code & unused exports
  • Code duplication (Type 1-3 clones)
  • Monolithic files & deep nesting
  • Import cycles & architecture violations
πŸ€–

AI & Modern Dev

  • AI-generated code detection (5-signal scoring)
  • Breaking change detection (caller blast radius)
  • Knowledge silo risk (single-contributor files)
  • Test quality & flaky test indicators
  • Type coverage gaps
πŸ“‹

Compliance

  • SOC 2 security evidence (CC3.1, CC3.2, CC6.1, CC6.8)
  • PASS / CONCERN / FAIL per control
  • Per-PR posture delta β€” "CC3.2 CONCERNβ†’PASS βœ…" continuous SOC 2 Type II monitoring
  • Compliance trend tracking + trajectory prediction to Grade A
  • Risk register with remediation SLAs (7 days critical, 30 days major)
πŸ”—

Supply Chain & IaC

  • GitHub Actions security: unpinned actions, pwn-request, script injection, token over-permissions
  • Git-history secret scan β€” flags credentials committed then deleted (HEAD-delta verified)
  • Dockerfile misconfig: runs-as-root, :latest tag, ADD-from-URL, embedded secrets
  • Dangerous tracked files (.env, .pem, id_rsa, serviceAccountKey.json)
  • Repo hygiene: SECURITY.md, LICENSE, CODEOWNERS, CI workflow presence
  • Kubernetes + Terraform coming Q2 2026
πŸ’°

Cost Estimation

  • Dollar amounts per finding & category
  • Total tech debt cost ("$560K to remediate")
  • Hours to fix at configurable hourly rate
  • Top 5 most expensive findings ranked
  • CFO-ready reports for budget conversations
βš™οΈ

Enterprise

  • Custom rules in YAML (enforce org policies)
  • Custom taint rules β€” define framework-specific sources, sinks, and sanitizers in YAML
  • API contract validation (OpenAPI drift)
  • SARIF output for GitHub Code Scanning
  • Baseline comparison (delta-only on PRs)
  • Air-gapped deployment (scanner core + legacy/invoice-issued static keys)

What you'll see on every PR

This is a real PullGuard report. Every pull request gets this level of detail β€” grade, risks, costs, remediation steps.

PullGuard Report

Grade B (31/100) Β· 624 findings Β· Est. fix cost: $560,256

Health Dashboard

CategoryGradeFindingsEst. Cost
πŸ”’ SecurityA5$4,200
πŸ—οΈ ArchitectureC18$56,784
πŸ“Š QualityB57$25,116
πŸ“¦ DependenciesA1$1,560
πŸ“ NamingA28$2,205

Top Risks

SevFileIssueEst. Cost
πŸ”΄backend/src/drift-detector.tsMonolithic file: 1894 lines, 17 functions$3,744
🟠agents/agent_base.pyMonolithic file: 847 lines, 52 functions$3,120
🟠src β†’ routes β†’ authCircular dependency across 3 modules$2,496
🟑config.ts:42Hardcoded API secret (entropy 4.2)$1,560
β–Ά πŸ”’ Security Findings (5) β€” hardcoded secrets, SQL injection, insecure crypto
β–Ά πŸ’° Cost Breakdown β€” $560K total, architecture $56K, quality $25K
β–Ά πŸ› οΈ Quick Wins (12) β€” trivial-effort fixes you can ship today
β–Ά πŸ“‹ SOC 2 Security Evidence β€” 3 PASS, 1 CONCERN

Before vs. After

Without PullGuard

βœ“ All checks passed
No code quality, security, or compliance info
  • "We found the SQL injection 3 months after deploy"
  • "The AWS key was in the repo for 6 weeks"
  • "Nobody knew the tech debt was $560K until the audit"

With PullGuard

Grade B Β· 5 security issues Β· $560K tech debt
πŸ”΄ 2 hardcoded secrets Β· 🟠 1 SQL injection Β· ⚠️ 3 monolithic files
  • "Caught the hardcoded secret before it reached main"
  • "Security team gets findings with file + line number"
  • "CFO saw the $560K number and approved the refactor budget"

One tool replaces three

Most teams need Semgrep for SAST + SonarQube for quality + Snyk for CVEs. PullGuard combines all three.

βœ“ Verified parity against 8 competitor categories (73 fixtures) β€” 100% OWASP parity with Semgrep Pro (18/18)

Capability PullGuard Semgrep SonarQube Snyk
OWASP Top 10 detection15 checksPro ($)Enterprise ($)Yes
Inter-procedural taintN-hop BFSPro ($)Enterprise ($)Yes
Code quality analysis13 analyzersNoCoreNo
Dependency CVE scanning6 ecosystemsNoNoCore
Cost estimation$/findingNoNoNo
SOC 2 security evidence4 controlsNoEnterprise ($)No
AI code detection5-signalNoNoNo
Self-hosted / air-gappedDocker (static key required)YesYesCloud only

Built for every team

PullGuard surfaces the right information for the right people.

πŸ”’ For Security Teams

Every hardcoded secret, SQL injection, and CVE β€” with file and line number. Cross-file taint tracking traces user input to database queries across module boundaries. Detects pwn-request, script injection, and token over-permissions β€” the top CI/CD supply-chain attack vectors of 2024–2026. Remediation deadlines: 7 days for critical, 30 for major.

πŸ’Ό For Engineering Managers

Dollar amounts on tech debt. "$560K to fix everything, or $3.7K to just fix the monolithic file." Category health dashboard shows which areas need attention. Budget conversations backed by real data, not estimates.

πŸ“‹ For Compliance & Audit

SOC 2 control mapping with PASS/CONCERN/FAIL per control. Automated evidence generation for auditor review. Risk register with remediation deadlines. Compliance trend tracking shows trajectory to Grade A.

πŸ‘©β€πŸ’» For Developers

Exact fixes with code examples. Not just "fix this" but "here's how." Quick wins highlighted: 12 trivial-effort fixes you can ship today. AI-generated code detection catches vibe-coded patterns that skip error handling.

How it works

1

Add one line

Add uses: pullguard-dev/pullguard-action@v1 to your workflow. Free tier, no key needed.

2

Open a PR

PullGuard scans automatically on every pull request. Results appear in the Actions step summary.

3

Ship with confidence

Grade, score, findings, cost estimate, and compliance status β€” all before merge.

πŸ”’ Code never leaves your runners
πŸ“‹ SOC 2 mapped (4 controls, auditor-defensible)
🌐 Air-gapped deployment (static key)
πŸ“„ BSL 1.1 licensed (Apache 2.0 in 2030)

Simple pricing

Self-serve for small teams. Enterprise conversations for larger orgs.

Free

$0
forever
  • βœ“ 14 core analyzers (incl. dangerous-files & repo-hygiene)
  • βœ“ Unlimited public repos
  • βœ“ 1 private repo
  • βœ“ Grade, score, findings
  • βœ— Security & taint analysis
  • βœ— Cost estimation
  • βœ— SOC 2 compliance
Get Started Free

Pro

$29/mo
per month
  • βœ“ 31 of 32 analyzers
  • βœ“ 1 private repo
  • βœ“ Security & taint analysis
  • βœ“ AI-generated code detection
  • βœ“ Cost-of-change estimation
  • βœ“ SARIF for Code Scanning
  • βœ“ Dependency CVE database

Solo developers & single projects.

Enterprise

Contact us
annual contract
  • βœ“ Everything in Team
  • βœ“ Unlimited repos & contributors
  • βœ“ Priority support (4h SLA)
  • βœ“ SSO (SAML / OIDC)
  • βœ“ Audit-log export
  • βœ“ Dedicated Slack channel
  • βœ“ Air-gapped deployment
Contact sales

300+ repos, 100+ developers, regulated industries.

Need more than Team's 10 repos or 20 contributors? Enterprise includes unlimited, dedicated support, and a signed contract.

Get started in 60 seconds

No account, no email, no credit card. Add one file to your repo.

# .github/workflows/pullguard.yml
name: PullGuard
on: [pull_request]
permissions:
  contents: read
  pull-requests: write
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: pullguard-dev/pullguard-action@v1
        # Free: 14 analyzers. Add license-key for Pro (31) or Team/Enterprise (all 32 + SOC 2 + custom rules)
1

Copy the YAML

Add the workflow file above to your repo. That's the entire setup.

2

Open a PR

PullGuard scans automatically. Grade, findings, and cost estimate appear in Actions.

3

Upgrade when ready

Add a license key secret to unlock all 32 analyzers, taint tracking, supply-chain + IaC checks, and SOC 2 evidence.

View on GitHub Marketplace

Free tier β€” no account required. Pro/Enterprise: hello@pullguard.dev