← Back to PullGuard

Getting Started

Add PullGuard to a GitHub repository in under five minutes. Three install paths โ€” pick the one that matches your team size and procurement process.

What PullGuard scans

44 analyzers grouped into six capability categories. Every category produces findings with severity, file:line location, remediation guidance, and (where relevant) a dollar-cost estimate. Free tier runs 14 of the 44; paid tiers unlock the rest.

๐Ÿ”’ Security (15 OWASP checks + supply-chain)

SQL / XSS / SSRF / command / path injection, AI application security (OWASP LLM & Agentic Top-10, across hosted, private & self-hosted models), deserialisation, CORS / CSP misconfigurations, missing CSRF, JWT confusion, cookie security, HTTP security headers, SSTI, unsafe reflection, file-upload validation, cryptographic hygiene, generic injection sinks. Cross-file, inter-procedural taint tracking across seven languages (JS / TS, Python, Java, C#, Go, Rust).

๐Ÿ“Š Code quality

Cyclomatic and cognitive complexity, Type-1โ€“3 clone detection, dead code and unused exports, monolithic-file detection (NCLOC-aligned โ€” heavily-documented code is not penalised), deep nesting, naming conventions, file naming, error-handling patterns, test patterns, API consistency.

๐Ÿ—๏ธ Architecture

Layer violations (e.g., domain code calling presentation), circular dependencies, transitive cycle detection across the full module graph, type-coverage gaps in TypeScript, OpenAPI contract drift between code and spec, module-system inconsistencies, knowledge-silo files (single-contributor risk).

๐Ÿ“ฆ Supply chain

Dependency CVEs across five ecosystems (npm, PyPI, Maven / Gradle, Go, RubyGems) using the OSV database โ€” works air-gapped against a local mirror โ€” with EPSS exploit-probability + CISA KEV “actively exploited” prioritisation so the vulnerabilities attackers actually target rise to the top. Dependency freshness scoring, breaking-change detection on shared interfaces, dangerous-files detection (tracked secrets, private keys, credentials), git-history secret scanning across the last 100 commits.

๐Ÿค– AI & modern dev

AI × security composite (code carrying an AI-era risk signal alongside a real security flaw becomes one prioritised “human-review” finding instead of separate noise), AI-governance evidence (explicit AI-authorship provenance markers, as advisory evidence toward EU AI Act / NIST AI RMF โ€” evidence toward, never a grant), AI-era risk detection (hallucinated dependencies, secrets-to-LLM prompts, insecure-by-default snippets), per-PR cost-of-change estimation in dollars, breaking-change blast-radius analysis with caller counts, GitHub Actions workflow security (unpinned actions, pwn-request, script injection, token over-permissions), Dockerfile misconfigurations, Kubernetes IaC checks (CIS Level 1 baseline).

๐Ÿ“‹ Compliance evidence

SOC 2 (8 controls โ€” CC3.1, CC3.2, CC4.1, CC6.1, CC6.2, CC6.7, CC6.8, CC8.2), HIPAA Technical Safeguards (45 CFR ยง164.312), PCI DSS 4.0, NIST 800-53 Rev 5, ISO 27001:2022. Each control is mapped to the analyzers that produce evidence; reports show PASS / CONCERN / FAIL per control with violation counts and AICPA / NIST citation text.

Install

Three paths โ€” same scanner image, same workflow file, different license tier.

Free

14 analyzers ยท no signup ยท no payment

Every public and private GitHub repository can run the free tier without an account or license key. You get the 12 commodity SAST / quality checks plus the supply-chain "dangerous files" and "repo hygiene" analyzers.

1. Drop this workflow file at .github/workflows/pullguard.yml:

name: PullGuard

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

permissions:
  contents: read
  pull-requests: write
  checks: write

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0          # Required for git-history analyzers

      - uses: pullguard-dev/pullguard-action@v1

2. Open a pull request.

PullGuard runs on every PR push, posts a comment with findings, writes a Step Summary to the Actions tab, and uploads the JSON / Markdown report as a workflow artifact.

Pro Team

42 / 44 analyzers ยท Stripe checkout ยท live in <5 min

Pro unlocks 42 of 44 analyzers for one private repository โ€” the full deep-analysis catalogue except enterprise custom rules. Team adds custom rules + up to 10 private repositories with unlimited contributors. Both bind to your organisation/repo at first scan; re-binding requires a support email.

1. Buy at pullguard.dev/#pricing via Stripe checkout.

Pro is $29/month, Team is $99/month. Stripe handles billing, invoicing, and tax. Cancel from your Stripe customer portal.

2. Receive your pg_live_* license token by email (instant).

3. Add the token as a repository secret named PULLGUARD_LICENSE_KEY:

GitHub repo โ†’ Settings โ†’ Secrets and variables โ†’ Actions โ†’ New repository secret. Or for organisation-wide use: Settings โ†’ Secrets at the org level.

4. Reference it in your workflow:

      - uses: pullguard-dev/pullguard-action@v1
        with:
          license-key: ${{ secrets.PULLGUARD_LICENSE_KEY }}

On the next PR scan, all 42/44 analyzers run, multi-framework compliance evidence appears, and the cost-estimation dollar amounts populate.

Enterprise

All 44 analyzers ยท Marketplace App ยท annual contract

Enterprise adds the GitHub Marketplace pullguard-code-scanner App (which provisions the workflow file automatically), native Check Run annotations on the PR Files-changed view, a 4 business-hour response SLA, and an annual contract with a master service agreement and data-processing addendum. SSO (SAML / OIDC) and RBAC are included; tamper-proof audit logs & export are on the roadmap, available as contracted deliverables.

1. Contact sales:

hello@pullguard.dev โ€” book a 30-minute call. We'll discuss repo count, contributor count, compliance frameworks in scope, and procurement requirements.

2. Install the GitHub App:

After contract signature, install pullguard-code-scanner on your GitHub organisation. The App auto-opens a provisioning pull request with the four-line workflow file ready to merge.

3. Enable native Check Run rendering:

      - uses: pullguard-dev/pullguard-action@v1
        with:
          license-key: ${{ secrets.PULLGUARD_LICENSE_KEY }}
          report-to-app: true

With report-to-app: true the PR-comment + Step-Summary surfaces continue to work AND findings appear as native Check Run annotations on the Files-changed view (line-level red flags, inline severity badges).

Your first scan

On the next pull request after install, four customer-visible surfaces light up:

PR comment

A comment posted on the pull request showing grade, score, severity breakdown, top 10 actionable findings inline, expandable <details> sections for Cost Breakdown / Health Dashboard / SOC 2 Evidence / Security Findings / Quick Wins, and a footer link back to the workflow run for the full report.

Actions tab โ†’ Step Summary

The richer view: full Health Dashboard with per-category grade and cost, Top Risks table sorted by remediation cost, Security Findings callout, all 8 SOC 2 controls with PASS / CONCERN / FAIL, plus HIPAA / PCI / NIST / ISO 27001 evidence sections.

Workflow artifact

pullguard-report.json + pullguard-report.md uploaded to the workflow run, retained 30 days, downloadable for programmatic ingestion or audit archive.

Native Check Runs (Enterprise + Marketplace App)

With report-to-app: true findings appear as inline annotations on the Files-changed view of the pull request โ€” clickable red / orange / yellow flags with severity, file:line, and remediation guidance. Same data the PR comment shows; native GitHub UX.

Customising the scan

Two configuration surfaces. Both are optional โ€” PullGuard works out of the box.

Full reference at Configuration โ†’.

View your results

๐Ÿ” Code never leaves your runners

The PullGuard scanner is a Docker image (ghcr.io/pullguard-dev/pullguard) that runs as a container on your own GitHub Actions runners. By default the action pins the stable :1 release line (newest v1.x); set the image-pin input to latest, a release tag, or a digest to change it. Source code is analyzed locally; only license validation (Stripe-issued pg_live_* tokens) and dependency-vulnerability lookups (OSV API) make outbound network calls. Air-gapped mode disables all external calls using a local vulnerability database โ€” see Configuration โ†’ Air-gapped mode.


← PullGuard home Configuration reference →