Skip to main content
MergeGuide has two kinds of run: check, which evaluates your code against policies, and scan, which runs the specialized vulnerability and infrastructure-as-code scanners. This page covers both.

Check code against policies

check is the core command. Point it at files or directories: 
# Check a directory
mergeguide check src/

# Check specific files
mergeguide check src/app.py src/db.py
With no paths, check reads your git-staged changes (or from stdin) — which is what the pre-commit hook uses: 
# Check only what's staged
mergeguide check --staged

Choose an output format

mergeguide check src/ --format json
mergeguide check src/ --format sarif --output results.sarif
check supports text (default), json, sarif, and markdown. See Output formats.

Scope to frameworks

Run only the rules mapped to one or more frameworks: 
mergeguide check src/ --frameworks soc2-type2,pci-dss-v4
See Policies & frameworks.

Scan dependencies for vulnerabilities

scan vuln checks your dependency manifests against known vulnerabilities (OSV): 
# Scan the current directory's manifests
mergeguide scan vuln

# Scan a specific project, failing on critical findings
mergeguide scan vuln --path ./my-project --fail-on critical

# Scan specific manifest files
mergeguide scan vuln package.json requirements.txt

Scan infrastructure-as-code

scan iac checks IaC files for security misconfigurations. It supports Terraform, CloudFormation, Kubernetes, and Helm: 
# Scan an infra directory
mergeguide scan iac --path ./infra

# Scan specific files as SARIF
mergeguide scan iac main.tf variables.tf --format sarif
Both scanners accept --path, --format (text / json / sarif), and --fail-on (none / high / critical). See the CLI reference.

Generate an SBOM

To produce a Software Bill of Materials from your dependency manifests: 
mergeguide sbom generate . --format spdx-json -o sbom.json
See SBOM export.

What runs where

You rarely call these commands by hand once you’re set up — they run automatically at each enforcement layer: in your IDE, while an AI assistant works, on commit and push, and on every pull request.

Next steps

Reading findings

Make sense of what a run reports.

Thresholds

Decide what severity blocks a run.