Policy
A policy is a rule your code must satisfy — for example, “no hardcoded secrets.” MergeGuide ships a default set of policies, and you can add your own. You choose which policies apply at the organization, project, group, or repository level.Compliance framework
A framework is a named standard (such as SOC 2 or ISO 27001) made up of controls. Activating a framework scopes the checks that run to the controls that framework cares about. See Compliance overview.Finding
A finding is what MergeGuide reports when your code doesn’t satisfy a policy. Each finding includes:- the file and line where the issue is,
- a severity (see below),
- and remediation guidance describing how to fix it.
Severity
Each finding has a severity that tells you how serious it is and whether it should block. You decide which severities block a commit or a merge through your fail thresholds.Enforcement layers
MergeGuide applies the same policies at several points in your workflow — your IDE, your AI assistant, your local commits, and your pull requests. Each point is an enforcement layer. The value isn’t “more checks”; it’s catching an issue at the earliest, cheapest layer so it never reaches a later one. See Enforcement layers.Evidence
Evidence is the exportable record of what was checked and what the result was. You can export it for an audit as NIST OSCAL or as an SBOM, and verify a signed artifact withmergeguide verify-evidence. See Compliance overview.
PolicyMerge
When you select multiple overlapping frameworks, PolicyMerge combines them and shows where their controls overlap — so meeting the strictest requirement satisfies the others, and you assess once instead of repeatedly. See PolicyMerge.Next steps
Quickstart
Put these concepts to work with a first check.
Enforcement layers
See how the layers fit your workflow.