Code quality, security & compliance
on every pull request

43 analyzers scan your code for security vulnerabilities, architecture violations, AI-era threats (prompt injection, vibe-coded patterns), supply-chain risks (GitHub Actions, Dockerfiles, K8s, git history), and compliance gaps. Per-endpoint risk composition (auth × taint × reachability) — `/api/export · unauthenticated + tainted = critical`. Results appear directly in your PR.

Trusted by engineering leaders replacing Semgrep + SonarQube + Snyk + StepSecurity + GitGuardian with one GitHub-native tool. SOC 2 security evidence on every PR. Scales from solo developers to 300-repo multinationals.

Start Free See Features Talk to Sales

Your code never leaves your GitHub runners. Zero third-party access.

🔒

Code stays on your runners

Docker container on your own GitHub Actions runners. Source code is never transmitted, stored, or seen by PullGuard servers. Data-residency and air-gapped-friendly by design.

📋

5 compliance frameworks

SOC 2 (8 controls), HIPAA Technical Safeguards, PCI DSS 4.0, NIST 800-53 Rev 5, ISO 27001:2022 — PASS / CONCERN / FAIL per control with AICPA / NIST citation text on every PR.

🧾

Every claim is verifiable

1,800+ automated tests back every capability on this page. CI rejects releases that drift from this marketing. 100% OWASP Top 10 parity verified by 18/18 fixtures vs Semgrep Pro.

📄

Procurement-ready

Business Source License 1.1 → Apache 2.0 in 2030. Enterprise MSA with reverse-engineering prohibition + DPA. Audit-log export, SSO (SAML / OIDC), 4-hour SLA for Enterprise.

Analyzers

Compliance Frameworks

1,800+

Tests Passing

Languages with Taint Tracking

CVE Ecosystems

72+

Languages Detected

✓ Every capability claim on this page is backed by a runnable test. Verify any of it in CI — not marketing copy, auditable code.

What PullGuard catches

Every pull request is scanned automatically. Findings include file, line number, severity, and remediation steps.

🔒

Security (15 OWASP Checks)

LLM prompt injection — first-mover AI-SAST, taint-tracked (user input → LLM sink)
SQL injection, XSS, SSRF, command injection, path traversal
Tree-sitter AST with N-hop cross-file taint across 7 languages (JS/TS, Python, Java, C#, Go, Rust, PHP)
Java deserialization (ObjectInputStream, XMLDecoder, XStream, Kryo)
XXE, CORS / CSP misconfiguration
NoSQL injection (MongoDB / Mongoose)
SSTI, unsafe reflection, file-upload validation, JWT confusion, cookie security
Custom taint sources & sinks via YAML — Brightspot / proprietary CMS hook
Dependency CVEs across 5 ecosystems (npm, PyPI, Maven/Gradle, Go, RubyGems)

📋

Compliance Evidence (5 Frameworks)

SOC 2 — 8 controls (CC3.1, CC3.2, CC4.1, CC6.1, CC6.2, CC6.7, CC6.8, CC8.2)
HIPAA Technical Safeguards (45 CFR §164.312)
PCI DSS 4.0 + NIST 800-53 Rev 5 + ISO 27001:2022
PASS / CONCERN / FAIL per control with AICPA / NIST citation text
Per-PR posture delta — "CC3.2 CONCERN→PASS ✅" continuous Type II monitoring
Risk register with remediation SLAs (7d critical, 30d major)

🎯

Endpoint Risk Engine

Composes auth × taint × reachability into a per-endpoint risk tier
/api/export · unauthenticated + tainted = critical
Auth-flow analyzer detects missing or weak authentication on identified endpoints
Reachability enrichment filters dead routes from triage
Severity discipline: Critical reserved for exploitable security only — not noise
Security findings cannot be suppressed at the analyzer level — auditor-defensible by design

🏗️

Code Quality

Honest line counts (NCLOC-aligned) — heavily-documented code is not penalised, unlike SonarQube
Per-language thresholds — Java 1000, Go 400, TS 600 (vs one-size defaults)
Cyclomatic + cognitive complexity
Dead code, unused exports, Type 1–3 clone detection
Monolithic file / function detection, deep nesting
Import cycles, layer violations, transitive cycle detection

🔗

Supply Chain & IaC

GitHub Actions security — unpinned actions, pwn-request, script injection, token over-permissions
Git-history secret scan — flags credentials committed then deleted
Dockerfile misconfig — runs-as-root, :latest tag, ADD-from-URL, embedded secrets
Dangerous tracked files — .env, .pem, id_rsa, serviceAccountKey.json
Kubernetes (CIS Level 1) — privileged pods, hostNetwork, missing resource limits
Repo hygiene — SECURITY.md / LICENSE / CODEOWNERS / CI workflow presence
Air-gapped CVE database for offline scanning
Terraform IaC scanning — Q2 2026

🤖

AI & Modern Dev

AI-generated code detection (5-signal scoring)
Breaking change detection with caller blast radius
Knowledge silo risk (single-contributor files)
Test quality + flaky test indicators
Type coverage gaps
Dependency freshness scoring (predictive CVE risk)

💰

Cost-of-Change Estimation

Dollar amounts per finding + category — configurable hourly rate
Actionable / Observational partition — header reads "47 actionable (+286 observations)" instead of inflated all-finding totals
Top 5 most expensive findings ranked inline
Total tech-debt cost surfaced for budget conversations
CFO-ready reports tied to remediation SLAs
Auditable suppression — /pullguard ignore <rule-id> opens a follow-up PR linking the original finding for audit trail

One tool replaces three

Most teams need Semgrep for SAST + SonarQube for quality + Snyk for CVEs. PullGuard combines all three.

✓ Verified parity against 8 competitor categories (73 fixtures) — 100% OWASP parity with Semgrep Pro (18/18)

Capability	PullGuard	Semgrep	SonarQube	Snyk
OWASP Top 10 detection	15 checks	Pro ($)	Enterprise ($)	Yes
Inter-procedural taint	N-hop BFS	Pro ($)	Enterprise ($)	Yes
Code quality analysis	13 analyzers	No	Core	No
Dependency CVE scanning	5 ecosystems	No	No	Core
Cost estimation	$/finding	No	No	No
SOC 2 security evidence	8 controls	No	Enterprise ($)	No
Multi-framework compliance (HIPAA / PCI / NIST / ISO 27001)	All 4	No	No	No
AI code detection	5-signal	No	No	No
Self-hosted / air-gapped	Docker (static key required)	Yes	Yes	Cloud only

Built for the enterprise buying center

PullGuard surfaces the right information for the right stakeholders — so procurement, security review, and rollout happen in parallel, not in sequence.

🛡️ For Security Leaders

100% OWASP Top 10 parity with Semgrep Pro. Cross-file N-hop taint tracking across 7 languages. Pwn-request, script injection, and token over-permissions detection — top CI/CD supply-chain vectors. Dependency CVE scanning across 5 ecosystems, offline-capable. Replaces Semgrep + Snyk + StepSecurity + GitGuardian with one tool, one install, one invoice.

📊 For Engineering Leaders

Dollar amounts on tech debt ("$560K to fix everything"). Grade trends over time with ETA-to-Grade-A predictions. Knowledge-silo risk flags single-contributor files. Breaking-change detection with caller blast-radius. AI-generated code detection catches vibe-coded patterns. Budget conversations backed by per-finding estimates — not vibes.

📋 For Compliance & IT

Five compliance frameworks on every PR: SOC 2 (8 controls), HIPAA Technical Safeguards, PCI DSS 4.0, NIST 800-53 Rev 5, ISO 27001:2022. PASS / CONCERN / FAIL per control with AICPA / NIST citation text — continuous Type II-ready evidence. Per-PR posture delta: "CC3.2 CONCERN→PASS ✅". Risk register with 7-day-critical / 30-day-major SLA fields. MSA-ready enterprise contracts with reverse-engineering prohibition + DPA.

What a clean scan looks like

Below is the actual Step Summary PullGuard renders in GitHub Actions on every PR. This is a Team-tier scan showing all 43 analyzers running on a well-maintained codebase. The same layout appears for any repo — green when you're clean, with drill-down details when you're not.

🟢 PullGuard Report

Score: 96/100 · Grade 🟢 A · 0 findings across 247 files · 43/43 analyzers · Team tier

Duration: ~8s (cached rescans <100ms) · License: valid · Trend: improving (85 → 96 over last 5 scans)

📊 Health Dashboard

Category	Grade	Change
Security (15 OWASP checks)	A	—
Supply Chain (Actions + Dockerfile + git history)	A	—
Dependencies (5 CVE ecosystems)	A	—
Code Quality	A	—
Architecture	A	—
Testing	A	—
Compliance (SOC 2)	A	—
AI Code Detection	A	—
Git History	A	—
Type Coverage	A	—

🏆 Top Risks

No critical or major findings. Your codebase is clean.

💰 Cost-of-Change

Severity	Count	Est. Fix Cost
Critical	0	$0
Major	0	$0
Moderate	0	$0
Total	0	$0

📋 SOC 2 Security Evidence (8 controls)

Control	Status	Evidence
CC3.1 (Risk Assessment)	✅ PASS	No unmitigated security findings
CC3.2 (Fraud Risk)	✅ PASS	No hardcoded credentials or historical secrets
CC4.1 (Continuous Monitoring)	✅ PASS	Per-PR scans + trend tracking provide ongoing evidence
CC6.1 (Logical Access)	✅ PASS	No authentication or authorization weaknesses
CC6.2 (Authentication)	✅ PASS	No weak / missing auth on identified endpoints
CC6.7 (Cryptographic Controls)	✅ PASS	No insecure crypto, weak RNG, or timing-attack vectors
CC6.8 (Unauthorized Software Prevention)	✅ PASS	All dependencies current, no unpinned GHA, no risky Dockerfile patterns
CC8.2 (Change Impact Analysis)	✅ PASS	Breaking-change detection + caller blast radius surfaced

Compliance posture delta: CC3.2 CONCERN→PASS ✅ · CC6.8 CONCERN→PASS ✅ (2 controls improved since last scan) · Plus HIPAA / PCI DSS 4.0 / NIST 800-53 / ISO 27001:2022 sections opt-in via compliance: in .driftrc.yml

📈 Trend

Improving · Score 85 → 96 over last 5 scans · ETA to Grade A: achieved

Generated by @pullguard/cli in ~8s · 43 analyzers · Team tier

This is the same Step Summary you'll see in your GitHub Actions tab on every PR. Enterprise evaluators: this output renders identically for you during your security-review period — the report shape is a contract, not a teaser.

Simple pricing

Self-serve for small teams. Enterprise conversations for larger orgs.

Free

forever

✓ 14 core analyzers (incl. dangerous-files & repo-hygiene)
✓ Unlimited public repos
✓ 1 private repo
✓ Grade, score, findings
✗ Security & taint analysis
✗ Cost estimation
✗ SOC 2 compliance

Get Started Free

Pro

$29/mo

per month

✓ 42 of 43 analyzers
✓ 1 private repo
✓ Security & taint analysis
✓ AI-generated code detection
✓ Cost-of-change estimation
✓ SARIF for Code Scanning
✓ Dependency CVE database

Join the Pro waitlist →

Solo developers & single projects.

Team

$99/mo

per month

✓ Everything in Pro
✓ Up to 10 private repos
✓ Unlimited contributors
✓ All 43 analyzers
✓ Custom rules (YAML policies)
✓ Custom taint sources & sinks
✓ SOC 2 compliance reports

Join the Team waitlist →

Startups & mid-sized engineering teams.

Enterprise

annual contract

✓ Everything in Team
✓ Unlimited repos & contributors
✓ Priority support (4h SLA)
✓ SSO (SAML / OIDC)
✓ Audit-log export
✓ Dedicated Slack channel
✓ Air-gapped deployment

Custom contract available: DPA, MSA with reverse-engineering prohibition + audit rights, customer-managed deployment, bespoke rule sets, dedicated CSM, quarterly vendor-risk review.

Book a 30-min call

300+ repos, 100+ developers, regulated industries.

Need more than Team's 10 repos or 20 contributors? Enterprise includes unlimited, dedicated support, and a signed contract. Ask about competitor migration (Semgrep / SonarQube / Snyk) with preserved rulesets.

Get started in 60 seconds

No account, no email, no credit card. Add one file to your repo.

# .github/workflows/pullguard.yml

name: PullGuard
on: [pull_request]
permissions:
  contents: read
  pull-requests: write
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: pullguard-dev/pullguard-action@v1
        # Free: 14 analyzers. Add license-key for Pro (42 of 43) or Team/Enterprise (all 43 + custom rules + 5 compliance frameworks)

Copy the YAML

Add the workflow file above to your repo. That's the entire setup.

Open a PR

PullGuard scans automatically. Grade, findings, and cost estimate appear in Actions.

Upgrade when ready

Add a license key secret to unlock all 43 analyzers, taint tracking, supply-chain + IaC checks, and SOC 2 evidence.

Read the install guide View on GitHub Marketplace

Free tier — no account required. Pro/Team/Enterprise: hello@pullguard.dev

Code quality, security & compliance on every pull request