Skip to main content
MergeGuide connects everyday code checks to the compliance frameworks your organization is held to — so the work you do to keep code clean also produces the evidence your auditors ask for.

How it fits together

  • Frameworks are named standards (such as SOC 2 or ISO 27001). Each maps to a set of controls.
  • Controls are the specific requirements within a framework.
  • Policies are the rules MergeGuide checks your code against. Policies map to the controls they help satisfy.
  • Evidence is the record of what was checked and what the result was, which you can export for an audit.
When you activate a framework, MergeGuide scopes its checks to the controls that framework cares about, and the results roll up into your compliance view.

Scope checks to a framework

You can scope a check to one or more frameworks from the CLI so that only rules mapped to those frameworks fire: 
mergeguide check src/ --frameworks soc2-type2,pci-dss-v4
See the CLI reference for the full check surface.

Export evidence

When it’s time for an audit, export structured evidence:

OSCAL export

Export NIST OSCAL documents for auditors and GRC tools.

SBOM export

Generate a CycloneDX or SPDX Software Bill of Materials.
The exact set of frameworks available to you depends on your plan and your organization’s configuration. Check the Compliance area of the dashboard for the frameworks active on your account.