Code quality, security & compliance
on every pull request

27 analyzers scan your code for security vulnerabilities, architecture violations, AI-generated patterns, custom taint rules, and compliance gaps. Results appear directly in your PR.

Start Free See Features

Your code never leaves your GitHub runners. Zero third-party access.

27
Analyzers
998
Tests Passing
7
Languages with Taint Tracking
6
CVE Ecosystems
72+
Languages Detected

What PullGuard catches

Every pull request is scanned automatically. Findings include file, line number, severity, and remediation steps.

๐Ÿ”’

Security (15 OWASP Checks)

  • SQL injection, XSS, SSRF, command injection, path traversal
  • N-hop taint tracking across 7 languages (JS, Python, Java, C#, Go, Rust, PHP)
  • Java deserialization (ObjectInputStream, XMLDecoder, XStream, Kryo)
  • XXE, CORS misconfiguration, CSP misconfiguration
  • NoSQL injection (MongoDB/Mongoose find, findOne, updateMany, aggregate)
  • Custom taint sources & sinks via YAML config
  • Hardcoded secrets + Shannon entropy analysis
  • Dependency CVEs across 6 ecosystems (npm, PyPI, Maven/Gradle, Go, Ruby)
๐Ÿ—๏ธ

Code Quality

  • Cyclomatic & cognitive complexity
  • Dead code & unused exports
  • Code duplication (Type 1-3 clones)
  • Monolithic files & deep nesting
  • Import cycles & architecture violations
๐Ÿค–

AI & Modern Dev

  • AI-generated code detection (5-signal scoring)
  • Breaking change detection (caller blast radius)
  • Knowledge silo risk (single-contributor files)
  • Test quality & flaky test indicators
  • Type coverage gaps
๐Ÿ“‹

Compliance

  • SOC 2 compliance reports (9 controls mapped)
  • PASS / CONCERN / FAIL per control
  • Compliance trend tracking over time
  • Risk register with remediation steps
  • Trajectory prediction to Grade A
๐Ÿ’ฐ

Cost Estimation

  • Dollar amounts per finding & category
  • Total tech debt cost ("$560K to remediate")
  • Hours to fix at configurable hourly rate
  • Top 5 most expensive findings ranked
  • CFO-ready reports for budget conversations
โš™๏ธ

Enterprise

  • Custom rules in YAML (enforce org policies)
  • Custom taint rules โ€” define framework-specific sources, sinks, and sanitizers in YAML
  • API contract validation (OpenAPI drift)
  • SARIF output for GitHub Code Scanning
  • Baseline comparison (delta-only on PRs)
  • Air-gapped deployment support

What you'll see on every PR

This is a real PullGuard report. Every pull request gets this level of detail โ€” grade, risks, costs, remediation steps.

PullGuard Report

Grade B (31/100) ยท 624 findings ยท Est. fix cost: $560,256

Health Dashboard

CategoryGradeFindingsEst. Cost
๐Ÿ”’ SecurityA5$4,200
๐Ÿ—๏ธ ArchitectureC18$56,784
๐Ÿ“Š QualityB57$25,116
๐Ÿ“ฆ DependenciesA1$1,560
๐Ÿ“ NamingA28$2,205

Top Risks

SevFileIssueEst. Cost
๐Ÿ”ดbackend/src/drift-detector.tsMonolithic file: 1894 lines, 17 functions$3,744
๐ŸŸ agents/agent_base.pyMonolithic file: 847 lines, 52 functions$3,120
๐ŸŸ src โ†’ routes โ†’ authCircular dependency across 3 modules$2,496
๐ŸŸกconfig.ts:42Hardcoded API secret (entropy 4.2)$1,560
โ–ถ ๐Ÿ”’ Security Findings (5) โ€” hardcoded secrets, SQL injection, insecure crypto
โ–ถ ๐Ÿ’ฐ Cost Breakdown โ€” $560K total, architecture $56K, quality $25K
โ–ถ ๐Ÿ› ๏ธ Quick Wins (12) โ€” trivial-effort fixes you can ship today
โ–ถ ๐Ÿ“‹ SOC 2 Compliance โ€” 7 PASS, 1 CONCERN, 1 FAIL

Before vs. After

Without PullGuard

โœ“ All checks passed
No code quality, security, or compliance info
  • "We found the SQL injection 3 months after deploy"
  • "The AWS key was in the repo for 6 weeks"
  • "Nobody knew the tech debt was $560K until the audit"

With PullGuard

Grade B ยท 5 security issues ยท $560K tech debt
๐Ÿ”ด 2 hardcoded secrets ยท ๐ŸŸ  1 SQL injection ยท โš ๏ธ 3 monolithic files
  • "Caught the hardcoded secret before it reached main"
  • "Security team gets findings with file + line number"
  • "CFO saw the $560K number and approved the refactor budget"

One tool replaces three

Most teams need Semgrep for SAST + SonarQube for quality + Snyk for CVEs. PullGuard combines all three.

Capability PullGuard Semgrep SonarQube Snyk
OWASP Top 10 detection15 checksPro ($)Enterprise ($)Yes
Inter-procedural taintN-hop BFSPro ($)Enterprise ($)Yes
Code quality analysis13 analyzersNoCoreNo
Dependency CVE scanning6 ecosystemsNoNoCore
Cost estimation$/findingNoNoNo
SOC 2 compliance9 controlsNoEnterprise ($)No
AI code detection5-signalNoNoNo
Self-hosted / air-gappedDockerYesYesCloud only

Built for every team

PullGuard surfaces the right information for the right people.

๐Ÿ”’ For Security Teams

Every hardcoded secret, SQL injection, and CVE โ€” with file and line number. Cross-file taint tracking traces user input to database queries across module boundaries. Remediation deadlines: 7 days for critical, 30 for major.

๐Ÿ’ผ For Engineering Managers

Dollar amounts on tech debt. "$560K to fix everything, or $3.7K to just fix the monolithic file." Category health dashboard shows which areas need attention. Budget conversations backed by real data, not estimates.

๐Ÿ“‹ For Compliance & Audit

SOC 2 control mapping with PASS/CONCERN/FAIL per control. Automated evidence generation for auditor review. Risk register with remediation deadlines. Compliance trend tracking shows trajectory to Grade A.

๐Ÿ‘ฉโ€๐Ÿ’ป For Developers

Exact fixes with code examples. Not just "fix this" but "here's how." Quick wins highlighted: 12 trivial-effort fixes you can ship today. AI-generated code detection catches vibe-coded patterns that skip error handling.

How it works

1

Add one line

Add uses: bazza1love/pullguard-action@v1 to your workflow. Free tier, no key needed.

2

Open a PR

PullGuard scans automatically on every pull request. Results appear in the Actions step summary.

3

Ship with confidence

Grade, score, findings, cost estimate, and compliance status โ€” all before merge.

๐Ÿ”’ Code never leaves your runners
๐Ÿ“‹ SOC 2 mapped (9 controls)
๐ŸŒ Air-gapped deployment support
๐Ÿ“„ BSL 1.1 licensed (Apache 2.0 in 2030)

Simple pricing

No per-seat pricing. No surprises.

Free

$0
forever
  • โœ“ 12 core analyzers
  • โœ“ Unlimited public repos
  • โœ“ 1 private repo
  • โœ“ Grade, score, findings
  • โœ— Security & taint analysis
  • โœ— Cost estimation
  • โœ— SOC 2 compliance
Get Started Free

Pro

$29/mo
per month
  • โœ“ All 27 analyzers
  • โœ“ 1 private repo
  • โœ“ Security & taint analysis
  • โœ“ AI-generated code detection
  • โœ“ Cost-of-change estimation
  • โœ“ SARIF for Code Scanning
  • โœ“ Dependency CVE database
Subscribe to Pro

After payment, you'll select which repository to activate.

Enterprise

$99/mo
per month
  • โœ“ Everything in Pro
  • โœ“ Unlimited repos
  • โœ“ SOC 2 compliance reports
  • โœ“ Custom rules (YAML policies)
  • โœ“ Custom taint sources & sinks
  • โœ“ Breaking change detection
  • โœ“ Priority support
Subscribe to Enterprise

Need multiple Pro repos? Enterprise includes unlimited repos for your entire org.

Get started in 60 seconds

No account, no email, no credit card. Add one file to your repo.

# .github/workflows/pullguard.yml
name: PullGuard
on: [pull_request]
permissions:
  contents: read
  pull-requests: write
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: bazza1love/pullguard-action@v1
        # Free: 12 analyzers. Add license-key for Pro (27) or Enterprise (27 + SOC 2)
1

Copy the YAML

Add the workflow file above to your repo. That's the entire setup.

2

Open a PR

PullGuard scans automatically. Grade, findings, and cost estimate appear in Actions.

3

Upgrade when ready

Add a license key secret to unlock all 27 analyzers, taint tracking, and SOC 2 compliance.

View on GitHub Marketplace

Free tier โ€” no account required. Pro/Enterprise: hello@pullguard.dev