🛠️ Maintenance in progress — new subscriptions paused briefly while we upgrade infrastructure. Existing customers are unaffected. Questions or want to be notified when we reopen? hello@pullguard.dev

Code quality, security & compliance
on every pull request

43 analyzers scan your code for security vulnerabilities, architecture violations, AI-era threats (prompt injection, vibe-coded patterns), supply-chain risks (GitHub Actions, Dockerfiles, K8s, git history), and compliance gaps. Per-endpoint risk composition (auth × taint × reachability) — `/api/export · unauthenticated + tainted = critical`. Results appear directly in your PR.

Trusted by engineering leaders replacing Semgrep + SonarQube + Snyk + StepSecurity + GitGuardian with one GitHub-native tool. SOC 2 security evidence on every PR. Scales from solo developers to 300-repo multinationals.

Start Free See Features Talk to Sales

Your code never leaves your GitHub runners. Zero third-party access.

🔒

Code stays on your runners

Docker container on your own GitHub Actions runners. Source code is never transmitted, stored, or seen by PullGuard servers. Data-residency and air-gapped-friendly by design.

📋

5 compliance frameworks

SOC 2 (8 controls), HIPAA Technical Safeguards, PCI DSS 4.0, NIST 800-53 Rev 5, ISO 27001:2022 — PASS / CONCERN / FAIL per control with AICPA / NIST citation text on every PR.

🧾

Every claim is verifiable

1,800+ automated tests back every capability on this page. CI rejects releases that drift from this marketing. 100% OWASP Top 10 parity verified by 18/18 fixtures vs Semgrep Pro.

📄

Procurement-ready

Business Source License 1.1 → Apache 2.0 in 2030. Enterprise MSA with reverse-engineering prohibition + DPA. Audit-log export, SSO (SAML / OIDC), 4-hour SLA for Enterprise.

43
Analyzers
5
Compliance Frameworks
1,800+
Tests Passing
7
Languages with Taint Tracking
5
CVE Ecosystems
72+
Languages Detected

✓ Every capability claim on this page is backed by a runnable test. Verify any of it in CI — not marketing copy, auditable code.

What PullGuard catches

Every pull request is scanned automatically. Findings include file, line number, severity, and remediation steps.

🔒

Security (15 OWASP Checks)

  • LLM prompt injection — first-mover AI-SAST, taint-tracked (user input → LLM sink)
  • SQL injection, XSS, SSRF, command injection, path traversal
  • Tree-sitter AST with N-hop cross-file taint across 7 languages (JS/TS, Python, Java, C#, Go, Rust, PHP)
  • Java deserialization (ObjectInputStream, XMLDecoder, XStream, Kryo)
  • XXE, CORS / CSP misconfiguration
  • NoSQL injection (MongoDB / Mongoose)
  • SSTI, unsafe reflection, file-upload validation, JWT confusion, cookie security
  • Custom taint sources & sinks via YAML — Brightspot / proprietary CMS hook
  • Dependency CVEs across 5 ecosystems (npm, PyPI, Maven/Gradle, Go, RubyGems)
📋

Compliance Evidence (5 Frameworks)

  • SOC 2 — 8 controls (CC3.1, CC3.2, CC4.1, CC6.1, CC6.2, CC6.7, CC6.8, CC8.2)
  • HIPAA Technical Safeguards (45 CFR §164.312)
  • PCI DSS 4.0 + NIST 800-53 Rev 5 + ISO 27001:2022
  • PASS / CONCERN / FAIL per control with AICPA / NIST citation text
  • Per-PR posture delta — "CC3.2 CONCERN→PASS ✅" continuous Type II monitoring
  • Risk register with remediation SLAs (7d critical, 30d major)
🎯

Endpoint Risk Engine

  • Composes auth × taint × reachability into a per-endpoint risk tier
  • /api/export · unauthenticated + tainted = critical
  • Auth-flow analyzer detects missing or weak authentication on identified endpoints
  • Reachability enrichment filters dead routes from triage
  • Severity discipline: Critical reserved for exploitable security only — not noise
  • Security findings cannot be suppressed at the analyzer level — auditor-defensible by design
🏗️

Code Quality

  • Honest line counts (NCLOC-aligned) — heavily-documented code is not penalised, unlike SonarQube
  • Per-language thresholds — Java 1000, Go 400, TS 600 (vs one-size defaults)
  • Cyclomatic + cognitive complexity
  • Dead code, unused exports, Type 1–3 clone detection
  • Monolithic file / function detection, deep nesting
  • Import cycles, layer violations, transitive cycle detection
🔗

Supply Chain & IaC

  • GitHub Actions security — unpinned actions, pwn-request, script injection, token over-permissions
  • Git-history secret scan — flags credentials committed then deleted
  • Dockerfile misconfig — runs-as-root, :latest tag, ADD-from-URL, embedded secrets
  • Dangerous tracked files — .env, .pem, id_rsa, serviceAccountKey.json
  • Kubernetes (CIS Level 1) — privileged pods, hostNetwork, missing resource limits
  • Repo hygiene — SECURITY.md / LICENSE / CODEOWNERS / CI workflow presence
  • Air-gapped CVE database for offline scanning
  • Terraform IaC scanning — Q2 2026
🤖

AI & Modern Dev

  • AI-generated code detection (5-signal scoring)
  • Breaking change detection with caller blast radius
  • Knowledge silo risk (single-contributor files)
  • Test quality + flaky test indicators
  • Type coverage gaps
  • Dependency freshness scoring (predictive CVE risk)
💰

Cost-of-Change Estimation

  • Dollar amounts per finding + category — configurable hourly rate
  • Actionable / Observational partition — header reads "47 actionable (+286 observations)" instead of inflated all-finding totals
  • Top 5 most expensive findings ranked inline
  • Total tech-debt cost surfaced for budget conversations
  • CFO-ready reports tied to remediation SLAs
  • Auditable suppression/pullguard ignore <rule-id> opens a follow-up PR linking the original finding for audit trail

One tool replaces three

Most teams need Semgrep for SAST + SonarQube for quality + Snyk for CVEs. PullGuard combines all three.

✓ Verified parity against 8 competitor categories (73 fixtures) — 100% OWASP parity with Semgrep Pro (18/18)

Capability PullGuard Semgrep SonarQube Snyk
OWASP Top 10 detection15 checksPro ($)Enterprise ($)Yes
Inter-procedural taintN-hop BFSPro ($)Enterprise ($)Yes
Code quality analysis13 analyzersNoCoreNo
Dependency CVE scanning5 ecosystemsNoNoCore
Cost estimation$/findingNoNoNo
SOC 2 security evidence8 controlsNoEnterprise ($)No
Multi-framework compliance (HIPAA / PCI / NIST / ISO 27001)All 4NoNoNo
AI code detection5-signalNoNoNo
Self-hosted / air-gappedDocker (static key required)YesYesCloud only

Built for the enterprise buying center

PullGuard surfaces the right information for the right stakeholders — so procurement, security review, and rollout happen in parallel, not in sequence.

🛡️ For Security Leaders

100% OWASP Top 10 parity with Semgrep Pro. Cross-file N-hop taint tracking across 7 languages. Pwn-request, script injection, and token over-permissions detection — top CI/CD supply-chain vectors. Dependency CVE scanning across 5 ecosystems, offline-capable. Replaces Semgrep + Snyk + StepSecurity + GitGuardian with one tool, one install, one invoice.

📊 For Engineering Leaders

Dollar amounts on tech debt ("$560K to fix everything"). Grade trends over time with ETA-to-Grade-A predictions. Knowledge-silo risk flags single-contributor files. Breaking-change detection with caller blast-radius. AI-generated code detection catches vibe-coded patterns. Budget conversations backed by per-finding estimates — not vibes.

📋 For Compliance & IT

Five compliance frameworks on every PR: SOC 2 (8 controls), HIPAA Technical Safeguards, PCI DSS 4.0, NIST 800-53 Rev 5, ISO 27001:2022. PASS / CONCERN / FAIL per control with AICPA / NIST citation text — continuous Type II-ready evidence. Per-PR posture delta: "CC3.2 CONCERN→PASS ✅". Risk register with 7-day-critical / 30-day-major SLA fields. MSA-ready enterprise contracts with reverse-engineering prohibition + DPA.

What a clean scan looks like

Below is the actual Step Summary PullGuard renders in GitHub Actions on every PR. This is a Team-tier scan showing all 43 analyzers running on a well-maintained codebase. The same layout appears for any repo — green when you're clean, with drill-down details when you're not.

🟢 PullGuard Report
Score: 96/100 · Grade 🟢 A · 0 findings across 247 files · 43/43 analyzers · Team tier
Duration: ~8s (cached rescans <100ms) · License: valid · Trend: improving (85 → 96 over last 5 scans)

📊 Health Dashboard

CategoryGradeFindingsChange
Security (15 OWASP checks)A0
Supply Chain (Actions + Dockerfile + git history)A0
Dependencies (5 CVE ecosystems)A0
Code QualityA0
ArchitectureA0
TestingA0
Compliance (SOC 2)A0
AI Code DetectionA0
Git HistoryA0
Type CoverageA0

🏆 Top Risks

No critical or major findings. Your codebase is clean.

💰 Cost-of-Change

SeverityCountEst. Fix Cost
Critical0$0
Major0$0
Moderate0$0
Total0$0

📋 SOC 2 Security Evidence (8 controls)

ControlStatusEvidence
CC3.1 (Risk Assessment)✅ PASSNo unmitigated security findings
CC3.2 (Fraud Risk)✅ PASSNo hardcoded credentials or historical secrets
CC4.1 (Continuous Monitoring)✅ PASSPer-PR scans + trend tracking provide ongoing evidence
CC6.1 (Logical Access)✅ PASSNo authentication or authorization weaknesses
CC6.2 (Authentication)✅ PASSNo weak / missing auth on identified endpoints
CC6.7 (Cryptographic Controls)✅ PASSNo insecure crypto, weak RNG, or timing-attack vectors
CC6.8 (Unauthorized Software Prevention)✅ PASSAll dependencies current, no unpinned GHA, no risky Dockerfile patterns
CC8.2 (Change Impact Analysis)✅ PASSBreaking-change detection + caller blast radius surfaced
Compliance posture delta: CC3.2 CONCERN→PASS ✅ · CC6.8 CONCERN→PASS ✅ (2 controls improved since last scan) · Plus HIPAA / PCI DSS 4.0 / NIST 800-53 / ISO 27001:2022 sections opt-in via compliance: in .driftrc.yml

📈 Trend

Improving · Score 85 → 96 over last 5 scans · ETA to Grade A: achieved

Generated by @pullguard/cli in ~8s · 43 analyzers · Team tier

This is the same Step Summary you'll see in your GitHub Actions tab on every PR. Enterprise evaluators: this output renders identically for you during your security-review period — the report shape is a contract, not a teaser.

Simple pricing

Self-serve for small teams. Enterprise conversations for larger orgs.

Free

$0
forever
  • 14 core analyzers (incl. dangerous-files & repo-hygiene)
  • Unlimited public repos
  • 1 private repo
  • Grade, score, findings
  • ✗ Security & taint analysis
  • ✗ Cost estimation
  • ✗ SOC 2 compliance
Get Started Free

Pro

$29/mo
per month
  • 42 of 43 analyzers
  • 1 private repo
  • Security & taint analysis
  • AI-generated code detection
  • Cost-of-change estimation
  • SARIF for Code Scanning
  • Dependency CVE database
Join the Pro waitlist →

Solo developers & single projects.

Enterprise

Contact us
annual contract
  • Everything in Team
  • Unlimited repos & contributors
  • Priority support (4h SLA)
  • SSO (SAML / OIDC)
  • Audit-log export
  • Dedicated Slack channel
  • Air-gapped deployment

Custom contract available: DPA, MSA with reverse-engineering prohibition + audit rights, customer-managed deployment, bespoke rule sets, dedicated CSM, quarterly vendor-risk review.

Book a 30-min call

300+ repos, 100+ developers, regulated industries.

Need more than Team's 10 repos or 20 contributors? Enterprise includes unlimited, dedicated support, and a signed contract. Ask about competitor migration (Semgrep / SonarQube / Snyk) with preserved rulesets.

Get started in 60 seconds

No account, no email, no credit card. Add one file to your repo.

# .github/workflows/pullguard.yml
name: PullGuard
on: [pull_request]
permissions:
  contents: read
  pull-requests: write
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - uses: pullguard-dev/pullguard-action@v1
        # Free: 14 analyzers. Add license-key for Pro (42 of 43) or Team/Enterprise (all 43 + custom rules + 5 compliance frameworks)
1

Copy the YAML

Add the workflow file above to your repo. That's the entire setup.

2

Open a PR

PullGuard scans automatically. Grade, findings, and cost estimate appear in Actions.

3

Upgrade when ready

Add a license key secret to unlock all 43 analyzers, taint tracking, supply-chain + IaC checks, and SOC 2 evidence.

Free tier — no account required. Pro/Team/Enterprise: hello@pullguard.dev