Skip to main content

Compliance Overview

MergeGuide maps your detection rules to compliance framework controls, tracks coverage over time, and exports evidence artifacts for auditors.

Supported Frameworks

18 frameworks across three categories:

Security Frameworks

FrameworkWhat It Covers
NIST SSDFNIST Secure Software Development Framework — development lifecycle security practices
OWASP Top 10OWASP’s top 10 web application security risks
OWASP ASVS L1Application Security Verification Standard Level 1 — basic security controls
OWASP ASVS L2Application Security Verification Standard Level 2 — defense-in-depth controls
CWE Top 25MITRE Common Weakness Enumeration — most dangerous software weaknesses
CIS ControlsCenter for Internet Security — prioritized security actions
SLSASupply chain Levels for Software Artifacts — build integrity and provenance

Regulatory Compliance

FrameworkApplicable To
SOC 2Service organizations handling customer data
HIPAAHealthcare organizations and business associates
PCI-DSSOrganizations handling payment card data
ISO 27001International information security management standard
GDPREU data protection regulation
FedRAMPUS federal government cloud services
StateRAMPUS state government cloud services

Emerging Regulations

FrameworkEffective
EU AI ActEU regulation on artificial intelligence systems
DORAEU Digital Operational Resilience Act (financial sector)
NIS2EU Network and Information Security Directive 2
Colorado AI ActUS state AI regulation — SB 24-205

How Coverage Works

Each detection rule is mapped to one or more framework controls. When a policy evaluates code and produces a result — pass or fail — that result becomes compliance evidence. Example mapping:
  • no-hardcoded-secrets → SOC 2 CC6.1, NIST SSDF PW.9.1, PCI-DSS 6.3.2, HIPAA §164.312(a)(2)(iv)
The dashboard shows coverage percentage: what fraction of the framework’s controls are covered by at least one active MergeGuide policy.

Framework Templates

Each supported framework has a policy template — a curated set of policies pre-mapped to the framework’s controls. Enable a template to instantly cover that framework:
  1. Go to Compliance > Frameworks
  2. Select a framework
  3. Click Enable Template
  4. Review the policies that will be activated
  5. Confirm
Templates can be customized. You can add additional policies or adjust severity levels after enabling.

Feature Availability by Plan

FeatureFreeProTeamBusinessEnterprise
OWASP Top 10, CWE Top 25
NIST SSDF, OWASP ASVS L1, CIS Controls, PCI-DSS
SOC 2, HIPAA, EU AI Act, GDPR, OWASP ASVS L2
DORA, ISO 27001:2022, NIST SP 800-53, FedRAMP, StateRAMP
NIS2, Colorado AI Act, custom rules
OSCAL export
SAML 2.0 SSO / OIDC
SCIM v2 provisioning
OSCAL webhooks (automated GRC delivery)
SBOM (CycloneDX / SPDX)
PolicyMerge
Bypass rate tracking
Immutable evidence trail

Evidence Generation

MergeGuide generates compliance evidence in two formats.

NIST OSCAL v1.1.2

Available on Business and Enterprise plans. OSCAL webhooks for automated GRC delivery are Enterprise only. The machine-readable standard for compliance documentation. OSCAL output includes:
  • 16 custom assessment catalogs (one per mapped framework)
  • Assessment results linking each control to policy evaluation data
  • Plan of Actions and Milestones (POA&M) for violations
OSCAL files can be imported directly into GRC platforms: Drata, Vanta, Secureframe, Tugboat Logic, RegScale, and any OSCAL-compatible tool. Export: Dashboard > Compliance > Export > OSCAL API: 
curl -X POST https://api.mergeguide.ai/v1/compliance/reports \
  -H "Authorization: Bearer $MERGEGUIDE_API_KEY" \
  -d '{"frameworks": ["soc2", "hipaa"], "format": "oscal", "date_range": {"start": "2026-01-01", "end": "2026-03-31"}}'

CSV / PDF

For human-readable audit evidence: Export: Dashboard > Compliance > Export > CSV or PDF

PolicyMerge

Available on Team plan and above. When multiple frameworks are active, PolicyMerge deconflicts overlapping requirements:
  • Identifies controls that appear in multiple frameworks
  • Applies strictest-wins resolution when frameworks have conflicting requirements
  • Visualizes overlap in the dashboard
  • Generates merged assessments covering all active frameworks in a single report
Without PolicyMerge, enabling SOC 2 + ISO 27001 + HIPAA could trigger duplicate alerts for the same code pattern across three frameworks. PolicyMerge collapses these into a single finding mapped to all three frameworks.

Bypass Rate as Compliance Evidence

Every policy override — when a developer bypasses a failing check — is logged automatically. Bypass rate tracking serves as evidence for:
  • SOC 2 CC6.1 (logical access control monitoring)
  • NIST SSDF RV.1.3 (tracking and remediation)
  • ISO 27001 A.12.6.1 (management of technical vulnerabilities)
Dashboard: Compliance > Bypass Rate