Skip to main content
The terms the documentation uses, defined from the user’s point of view. For the narrative version, see Core concepts.

Advisory mode

A run mode that reports findings but always exits 0, so it never blocks. Enabled with --advisory. See Thresholds.

Check

The core run that evaluates your code against policies (mergeguide check). See Running scans.

Control

A specific requirement within a compliance framework. Policies map to the controls they help satisfy.

Enforcement layer

A point in your workflow where MergeGuide applies your policies — IDE, MCP server, git hooks, or PR gate. See Enforcement layers.

Evidence

The exportable record of what was checked and the result, used for audits. Exported as NIST OSCAL or as an SBOM. See Compliance overview.

Finding

What MergeGuide reports when your code doesn’t satisfy a policy — with file, line, severity, and remediation guidance. See Reading findings.

Framework

A named compliance standard (such as SOC 2 or ISO 27001) made up of controls. Activating a framework scopes the checks that run. See Policies & frameworks.

Git hooks

Local checks that run on commit and push, installed with mergeguide hooks install. See Install git hooks.

MCP server

The Model Context Protocol server (@mergeguide/mcp-server) that lets an AI assistant check changes against your policies as it works. See Install the MCP server.

OSCAL

NIST Open Security Controls Assessment Language — the machine-readable evidence format MergeGuide exports. See OSCAL export.

Policy

A rule your code must satisfy (for example, “no hardcoded secrets”). MergeGuide ships defaults and supports custom policies. See Policies & frameworks.

PolicyMerge

The feature that combines overlapping frameworks and shows where their controls overlap, so meeting the strictest requirement satisfies the others. See PolicyMerge.

PR gate

The enforcement layer that evaluates every pull request and holds the merge when blocking findings exist. See Set up the PR gate.

SARIF

Static Analysis Results Interchange Format — a standard output format ingested by code-scanning dashboards. See Output formats.

SBOM

Software Bill of Materials — a machine-readable inventory of your dependencies, exported as CycloneDX or SPDX. See SBOM export.

Severity

How serious a finding is (critical / high / medium / low), used together with your thresholds to decide what blocks. See Thresholds.

Suppression

Accepting a finding as a known exception by disabling its policy or excluding its path. See Reading findings.