Release Notes
v1.0.0 — General Availability (March 2026)
MergeGuide v1.0.0 is the first production release. What’s in this release:- 4 enforcement layers: IDE, Git hooks, AI assistants, PR gates
- 4 SCM platforms: GitHub, GitLab, Bitbucket, Azure DevOps
- 24 compliance frameworks with NIST OSCAL export
- 1,099 detection rules across 15 languages
Detection Engine
- 1,099 detection rules — 130 regex + 969 Semgrep AST taint analysis rules
- 15 languages — Python, JavaScript, TypeScript, Java, Go, PHP, Ruby, C#, Kotlin, Swift, Rust, C, C++, Terraform, Dockerfile
- Dual-layer analysis — Fast regex for known patterns; Semgrep for taint analysis and data flow across all supported languages
- All 15 languages benchmark-validated at ≥85% precision
4-Layer Enforcement
- VS Code Extension — Real-time violation detection with inline diagnostics, quick fixes, sidebar panels for violations/policies/evaluations, and pre-commit hook management
- MCP Server — 10 tools for AI coding assistants: check_policy, list_policies, scan_repository, scan_vulnerabilities, scan_licenses, scan_cicd, scan_iac, generate_evidence, generate_sbom, get_remediation
- Git Hooks — Pre-commit and pre-push enforcement; compatible with Husky, lint-staged, and the pre-commit framework
- PR Gate — Webhook-driven evaluation on GitHub, GitLab, Bitbucket, and Azure DevOps with inline annotations and pass/fail status checks
SCM Integrations
All four SCM platforms supported with full PR gate integration:- GitHub (GitHub App:
mergeguide-policy-check) - GitLab (Webhook + OAuth)
- Bitbucket (OAuth App)
- Azure DevOps (Azure DevOps App)
Compliance
- 24 framework templates — OWASP Top 10, CWE Top 25, OWASP ASVS, PCI-DSS, CIS Controls, OWASP Agentic Apps, SOC 2 Type II, HIPAA, EU AI Act, GDPR, NIST SSDF, DORA, ISO 27001, NYDFS Part 500, CMMC 2.0 Level 2, NIST AI RMF, HITRUST CSF v11, FFIEC D&A, NIST SP 800-53, SLSA v1.0, FedRAMP Moderate, StateRAMP, NIS2, Colorado AI Act
- NIST OSCAL v1.1.2 native output — 24 custom catalogs, 4 document types, GRC platform interop
- SBOM export — CycloneDX 1.5 + SPDX 2.3, streaming ZIP download, S3 upload integration
- PolicyMerge — Multi-framework conflict resolution with strictest-wins logic and overlap visualization
- Bypass rate tracking — Every policy override logged; dashboard widget and drill-down report
Enterprise Features
- SAML 2.0 SSO + OIDC
- SCIM v2 provisioning
- WebAuthn/Passkeys + TOTP MFA
- RBAC — Owner, Admin, Developer, Viewer roles with custom role support
- Immutable evidence trail
- Onboarding wizard — 7-step guided org setup
Dashboard
- Compliance dashboard with framework coverage visualization for all 24 frameworks
- Bypass rate widget and drill-down event log
- OSCAL and SBOM export from the dashboard
- PolicyMerge multi-framework visualization
- Enforcement metrics with daily pass/fail trends
- Date range filtering: 7d, 30d, 90d, all time
API
- REST API v1 at
api.mergeguide.ai - API key authentication with scoped permissions
- OAuth 2.0 + PKCE for interactive applications
- Evaluation, policy, compliance, SBOM, and webhook endpoints
- Rate limiting with standard headers (
X-RateLimit-*)
Installation
Installing the CLI
Installing the VS Code Extension
Search “MergeGuide” in the VS Code Extensions panel, or:Setting Up the MCP Server
Feedback
- Bug reports: support@mergeguide.ai
- Feature requests: support@mergeguide.ai