Skip to main content

MergeGuide Documentation

MergeGuide enforces code policies across your development workflow. Every commit and pull request runs through 711 detection rules across 15 languages. Security findings appear where developers work — VS Code, Git, GitHub, GitLab, Bitbucket, Azure DevOps.

How It Works

Real-time feedback (IDE) — VS Code extension catches violations as you type. Git-level enforcement — Pre-commit hooks block policy violations before they ever reach a PR. PR gate (all 4 SCM platforms) — Evaluation results post inline on every pull request. Violations are flagged with remediation guidance. Compliance export — Evidence flows to your auditor as NIST OSCAL v1.1.2 or SBOM (CycloneDX / SPDX).

Enforcement Layers

WhereToolWhen
Code editorVS Code ExtensionAs you type
AI assistantsMCP ServerCode generation
Local commitsGit hooksPre-commit, pre-push
Pull requestsWebhook gateAll 4 SCM platforms

Compliance Frameworks

18 total: Security: NIST SSDF, OWASP Top 10, OWASP ASVS L1/L2, CWE Top 25, CIS Controls, SLSA Regulatory: SOC 2, HIPAA, PCI-DSS, ISO 27001, GDPR, FedRAMP, StateRAMP Emerging: EU AI Act, DORA, NIS2, Colorado AI Act

Detection Rules

  • 711 total detection rules
  • 237 regex patterns (known vulnerabilities)
  • 474 Semgrep AST rules (taint analysis, data flow)
  • 15 languages: Python, JavaScript, TypeScript, Java, Go, PHP, Ruby, C#, Kotlin, Swift, Rust, C, C++, Terraform, Dockerfile

Quick Start

# Install the CLI
npm install -g @mergeguide/cli

# Authenticate
mergeguide auth login

# Run your first check
mergeguide check
Continue to Quick Start Guide →

Documentation Sections

SectionDescription
Getting StartedInstallation, first check, basics
Enforcement LayersVS Code, MCP Server, Git Hooks, PR Gate
ComplianceOSCAL export, SBOM, bypass tracking, PolicyMerge
Policy AuthoringCreate and customize detection policies
API ReferenceREST API documentation
IntegrationsCI/CD workflow integrations
TroubleshootingCommon issues and FAQ

Getting Help