Skip to main content
MergeGuide checks your code against policies. A compliance framework groups the policies that satisfy a named standard. This page covers how to see what’s available, scope a check to a framework, and add your own policies.

List available policies

To see the policies available to you: 
mergeguide policies
This lists the default policy set plus any custom policies MergeGuide loads from your project. See mergeguide policies.

Use the defaults

By default, check runs MergeGuide’s built-in policy set. You don’t need to configure anything to get coverage. The default config enables it:
.mergeguide/config.yaml
policies:
  use_defaults: true
  custom_dir: .mergeguide/policies
To run a single check without the defaults — for example, to test a custom policy in isolation — use --no-defaults: 
mergeguide check src/ --no-defaults --policy ./my-policy.yaml

Scope a check to frameworks

When you activate one or more frameworks, MergeGuide runs only the rules mapped to those frameworks. Scope a check from the CLI with --frameworks: 
# Only rules mapped to SOC 2 Type 2 or PCI DSS v4 will fire
mergeguide check src/ --frameworks soc2-type2,pci-dss-v4
Pass a comma-separated list of framework IDs. When you supply --frameworks, rules that aren’t mapped to at least one of them don’t contribute findings. With no --frameworks, the full default corpus runs.
The exact set of frameworks available to you depends on your plan and your organization’s configuration. Open the Compliance area of the dashboard to see the frameworks active on your account. See Compliance overview.

Add custom policies

mergeguide init creates a sample custom-policy file at .mergeguide/policies/custom.yaml. Policies in your custom_dir load alongside the defaults. A custom policy looks like this:
.mergeguide/policies/custom.yaml
version: "1.0"

metadata:
  name: "Custom Policies"
  description: "Project-specific policy rules"

policies:
  - id: "example-rule"
    name: "Example Rule"
    description: "An example custom rule"
    severity: warning
    languages: ["*"]
    enabled: false   # set to true to enable
    rules:
      - pattern: "example_pattern"
        message: "This is an example violation"
        remediation: "Replace with the correct pattern"
You can also pass a policy file to a single check without putting it in custom_dir: 
mergeguide check src/ --policy ./my-policy.yaml
Pass --policy more than once to load several files.

Enable or disable specific policies

To turn individual policies on or off across a project without editing policy files, list them in your config:
.mergeguide/config.yaml
enabled_policies:
  - owasp-top-10
disabled_policies:
  - example-noisy-rule
See Configuration keys for the full set of config keys.

Next steps

Thresholds

Decide what severity blocks a commit or a merge.

Compliance overview

How frameworks map to audit evidence.