🛠️ Maintenance in progress — new subscriptions paused briefly while we upgrade infrastructure. Existing customers are unaffected. Back online within the hour. Questions? hello@pullguard.dev

Code quality, security & compliance
on every pull request

43 analyzers scan your code for security vulnerabilities, architecture violations, AI-era threats (prompt injection, vibe-coded patterns), supply-chain risks (GitHub Actions, Dockerfiles, K8s, git history), and compliance gaps. Per-endpoint risk composition (auth × taint × reachability) — `/api/export · unauthenticated + tainted = critical`. Results appear directly in your PR.

Trusted by engineering leaders replacing Semgrep + SonarQube + Snyk + StepSecurity + GitGuardian with one GitHub-native tool. SOC 2 security evidence on every PR. Scales from solo developers to 300-repo multinationals.

Start Free See Features Talk to Sales

Your code never leaves your GitHub runners. Zero third-party access.

🔒

Your code stays on your runners

PullGuard runs as a Docker container on your own GitHub Actions runners. Scans execute entirely on your infrastructure. Only license validation and finding metadata cross the network — your source code is never transmitted, never stored, never seen by PullGuard servers. Data-residency and air-gapped-friendly by design.

🧾

Every capability is independently verifiable

1,456 automated tests back every claim on this page. Each analyzer has unit + integration coverage; every site capability maps to a runnable test in CI. We cannot ship a release that contradicts our marketing — CI will reject it. Review the full feature matrix against your procurement checklist without hand-waving.

32
Analyzers
1,355
Tests Passing
7
Languages with Taint Tracking
5
CVE Ecosystems
72+
Languages Detected

✓ Every capability claim on this page is backed by a runnable test. Verify any of it in CI — not marketing copy, auditable code.

What PullGuard catches

Every pull request is scanned automatically. Findings include file, line number, severity, and remediation steps.

🔒

Security (15 OWASP Checks)

  • LLM prompt injection — first-mover AI-SAST, taint-tracked (user input → LLM sink)
  • SQL injection, XSS, SSRF, command injection, path traversal
  • Tree-sitter AST parsing (not regex) with N-hop taint tracking across 7 languages (JS/TS, Python, Java, C#, Go, Rust, PHP)
  • Java deserialization (ObjectInputStream, XMLDecoder, XStream, Kryo)
  • XXE, CORS misconfiguration, CSP misconfiguration
  • NoSQL injection (MongoDB/Mongoose find, findOne, updateMany, aggregate)
  • Custom taint sources & sinks via YAML config
  • Hardcoded secrets + Shannon entropy analysis
  • Dependency CVEs across 5 ecosystems (npm, PyPI, Maven, Go, RubyGems)
🏗️

Code Quality

  • Cyclomatic & cognitive complexity
  • Dead code & unused exports
  • Code duplication (Type 1-3 clones)
  • Monolithic files & deep nesting
  • Import cycles & architecture violations
🤖

AI & Modern Dev

  • AI-generated code detection (5-signal scoring)
  • Breaking change detection (caller blast radius)
  • Knowledge silo risk (single-contributor files)
  • Test quality & flaky test indicators
  • Type coverage gaps
📋

Compliance

  • SOC 2 security evidence (CC3.1, CC3.2, CC6.1, CC6.8)
  • PASS / CONCERN / FAIL per control
  • Per-PR posture delta — "CC3.2 CONCERN→PASS ✅" continuous SOC 2 Type II monitoring
  • Compliance trend tracking + trajectory prediction to Grade A
  • Risk register with remediation SLAs (7 days critical, 30 days major)
🔗

Supply Chain & IaC

  • GitHub Actions security: unpinned actions, pwn-request, script injection, token over-permissions
  • Git-history secret scan — flags credentials committed then deleted (HEAD-delta verified)
  • Dockerfile misconfig: runs-as-root, :latest tag, ADD-from-URL, embedded secrets
  • Dangerous tracked files (.env, .pem, id_rsa, serviceAccountKey.json)
  • Repo hygiene: SECURITY.md, LICENSE, CODEOWNERS, CI workflow presence
  • Kubernetes + Terraform coming Q2 2026
💰

Cost Estimation

  • Dollar amounts per finding & category
  • Total tech debt cost ("$560K to remediate")
  • Hours to fix at configurable hourly rate
  • Top 5 most expensive findings ranked
  • CFO-ready reports for budget conversations
⚙️

Enterprise

  • Custom rules in YAML (enforce org policies)
  • Custom taint rules — define framework-specific sources, sinks, and sanitizers in YAML
  • API contract validation (OpenAPI drift)
  • SARIF output for GitHub Code Scanning
  • Baseline comparison (delta-only on PRs)
  • Air-gapped deployment (scanner core + legacy/invoice-issued static keys)

Before vs. After

Without PullGuard

✓ All checks passed
No code quality, security, or compliance info
  • "We found the SQL injection 3 months after deploy"
  • "The AWS key was in the repo for 6 weeks"
  • "Nobody knew the tech debt was $560K until the audit"

With PullGuard

Grade B · 5 security issues · $560K tech debt
🔴 2 hardcoded secrets · 🟠 1 SQL injection · ⚠️ 3 monolithic files
  • "Caught the hardcoded secret before it reached main"
  • "Security team gets findings with file + line number"
  • "CFO saw the $560K number and approved the refactor budget"

One tool replaces three

Most teams need Semgrep for SAST + SonarQube for quality + Snyk for CVEs. PullGuard combines all three.

✓ Verified parity against 8 competitor categories (73 fixtures) — 100% OWASP parity with Semgrep Pro (18/18)

Capability PullGuard Semgrep SonarQube Snyk
OWASP Top 10 detection15 checksPro ($)Enterprise ($)Yes
Inter-procedural taintN-hop BFSPro ($)Enterprise ($)Yes
Code quality analysis13 analyzersNoCoreNo
Dependency CVE scanning5 ecosystemsNoNoCore
Cost estimation$/findingNoNoNo
SOC 2 security evidence4 controlsNoEnterprise ($)No
AI code detection5-signalNoNoNo
Self-hosted / air-gappedDocker (static key required)YesYesCloud only

Built for the enterprise buying center

PullGuard surfaces the right information for the right stakeholders — so procurement, security review, and rollout happen in parallel, not in sequence.

🛡️ For Security Leaders

100% OWASP Top 10 parity with Semgrep Pro. Cross-file N-hop taint tracking across 7 languages. Pwn-request, script injection, and token over-permissions detection — top CI/CD supply-chain vectors. Dependency CVE scanning across 5 ecosystems, offline-capable. Replaces Semgrep + Snyk + StepSecurity + GitGuardian with one tool, one install, one invoice.

📊 For Engineering Leaders

Dollar amounts on tech debt ("$560K to fix everything"). Grade trends over time with ETA-to-Grade-A predictions. Knowledge-silo risk flags single-contributor files. Breaking-change detection with caller blast-radius. AI-generated code detection catches vibe-coded patterns. Budget conversations backed by per-finding estimates — not vibes.

📋 For Compliance & IT

SOC 2 security evidence mapped to defensible controls (CC3.1, CC3.2, CC6.1, CC6.8). PASS / CONCERN / FAIL per control on every PR — continuous Type II-ready evidence. Per-PR posture delta: "CC3.2 CONCERN→PASS ✅". Risk register with 7-day-critical / 30-day-major SLA fields. MSA-ready enterprise contracts with reverse-engineering prohibition + DPA.

How it works

1

Add one line

Add uses: pullguard-dev/pullguard-action@v1 to your workflow. Free tier, no key needed.

2

Open a PR

PullGuard scans automatically on every pull request. Results appear in the Actions step summary.

3

Ship with confidence

Grade, score, findings, cost estimate, and compliance status — all before merge.

🔒 Code never leaves your runners
📋 SOC 2 mapped (4 controls, auditor-defensible)
🌐 Air-gapped deployment (static key)
📄 BSL 1.1 licensed (LICENSE) — Apache 2.0 in 2030

What a clean scan looks like

Below is the actual Step Summary PullGuard renders in GitHub Actions on every PR. This is a Team-tier scan showing all 43 analyzers running on a well-maintained codebase. The same layout appears for any repo — green when you're clean, with drill-down details when you're not.

🟢 PullGuard Report
Score: 96/100 · Grade 🟢 A · 0 findings across 247 files · 43/43 analyzers · Team tier
Duration: ~8s (cached rescans <100ms) · License: valid · Trend: improving (85 → 96 over last 5 scans)

📊 Health Dashboard

CategoryGradeFindingsChange
Security (15 OWASP checks)A0
Supply Chain (Actions + Dockerfile + git history)A0
Dependencies (5 CVE ecosystems)A0
Code QualityA0
ArchitectureA0
TestingA0
Compliance (SOC 2)A0
AI Code DetectionA0
Git HistoryA0
Type CoverageA0

🏆 Top Risks

No critical or major findings. Your codebase is clean.

💰 Cost-of-Change

SeverityCountEst. Fix Cost
Critical0$0
Major0$0
Moderate0$0
Total0$0

📋 SOC 2 Security Evidence

ControlStatusEvidence
CC3.1 (Risk Assessment)✅ PASSNo unmitigated security findings
CC3.2 (Fraud Risk)✅ PASSNo hardcoded credentials or historical secrets
CC6.1 (Logical Access)✅ PASSNo authentication or authorization weaknesses
CC6.8 (Unauthorized Software Prevention)✅ PASSAll dependencies current, no unpinned GHA, no risky Dockerfile patterns
Compliance posture delta: CC3.2 CONCERN→PASS ✅ · CC6.8 CONCERN→PASS ✅ (2 controls improved since last scan)

📈 Trend

Improving · Score 85 → 96 over last 5 scans · ETA to Grade A: achieved
Generated by @pullguard/cli in ~8s · 43 analyzers · Team tier

This is the same Step Summary you'll see in your GitHub Actions tab on every PR. Enterprise evaluators: this output renders identically for you during your security-review period — the report shape is a contract, not a teaser.

Simple pricing

Self-serve for small teams. Enterprise conversations for larger orgs.

Free

$0
forever
  • 14 core analyzers (incl. dangerous-files & repo-hygiene)
  • Unlimited public repos
  • 1 private repo
  • Grade, score, findings
  • ✗ Security & taint analysis
  • ✗ Cost estimation
  • ✗ SOC 2 compliance
Get Started Free

Pro

$29/mo
per month
  • 42 of 43 analyzers
  • 1 private repo
  • Security & taint analysis
  • AI-generated code detection
  • Cost-of-change estimation
  • SARIF for Code Scanning
  • Dependency CVE database
Join the waitlist →

Solo developers & single projects.

Team

$99/mo
per month
  • Everything in Pro
  • Up to 10 private repos
  • Up to 20 contributors
  • All 43 analyzers
  • Custom rules (YAML policies)
  • Custom taint sources & sinks
  • SOC 2 compliance reports
Join the waitlist →

Startups & mid-sized engineering teams.

Enterprise

Contact us
annual contract
  • Everything in Team
  • Unlimited repos & contributors
  • Priority support (4h SLA)
  • SSO (SAML / OIDC)
  • Audit-log export
  • Dedicated Slack channel
  • Air-gapped deployment

Custom contract available: DPA, MSA with reverse-engineering prohibition + audit rights, customer-managed deployment, bespoke rule sets, dedicated CSM, quarterly vendor-risk review.

Book a 30-min call

300+ repos, 100+ developers, regulated industries.

Need more than Team's 10 repos or 20 contributors? Enterprise includes unlimited, dedicated support, and a signed contract. Ask about competitor migration (Semgrep / SonarQube / Snyk) with preserved rulesets.

Get started in 60 seconds

No account, no email, no credit card. Add one file to your repo.

# .github/workflows/pullguard.yml
name: PullGuard
on: [pull_request]
permissions:
  contents: read
  pull-requests: write
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: pullguard-dev/pullguard-action@v1
        # Free: 14 analyzers. Add license-key for Pro (31) or Team/Enterprise (all 32 + SOC 2 + custom rules)
1

Copy the YAML

Add the workflow file above to your repo. That's the entire setup.

2

Open a PR

PullGuard scans automatically. Grade, findings, and cost estimate appear in Actions.

3

Upgrade when ready

Add a license key secret to unlock all 43 analyzers, taint tracking, supply-chain + IaC checks, and SOC 2 evidence.

View on GitHub Marketplace

Free tier — no account required. Pro/Enterprise: hello@pullguard.dev