Last updated: April 8, 2026
PullGuard is a static analysis tool that scans source code for security vulnerabilities, code quality issues, and compliance gaps. The service runs as a GitHub Action on your own GitHub Actions runners. Your code is processed locally on your infrastructure and is never transmitted to PullGuard servers.
License keys are issued per-repository and are non-transferable. Each key is cryptographically bound to the purchasing organization and, where applicable, to specific repositories. Sharing license keys outside your organization is prohibited. Free tier usage requires no license key.
You may use PullGuard to scan code repositories you own or have authorization to scan. You may not:
PullGuard processes your source code entirely on your GitHub Actions runners. No source code, findings, or analysis results are transmitted to PullGuard servers. The scanner's external network calls are: (a) public vulnerability databases (OSV API) and package registries (npm, PyPI, Maven/Gradle, Go, RubyGems) for dependency version checking; (b) on paid tiers, a license-validation call to pullguard.dev/api/validate that sends only your license key and repository name (never code) to confirm an active subscription; and (c) a fetch of the signed compliance-control catalogue and the public CISA KEV threat feed from pullguard.dev/api/rules (an anonymous request — no license key, repository name, or code). See our Privacy Policy §3 and §5 for the full per-endpoint detail.
PullGuard subscription tiers are billed via Stripe (Pro and Team) or via annual contract (Enterprise). Pro is monthly at the price listed on pullguard.dev for one private repository. Team is monthly at the price listed for up to ten private repositories with no contributor limit. Enterprise is sold under an annual master service agreement with custom repository scope and additional terms (SSO, audit-log export, support SLA). All payments are in USD. Pro and Team subscriptions can be cancelled at any time; cancellation takes effect at the end of the current billing period. License keys are revoked upon cancellation.
Tier limits are enforced via online validation at scan time. The Team tier accumulates the set of repositories it has scanned; once the ten-repository limit is reached, scans on additional new repositories run on the Free tier (14 analyzers) until either an existing repository is removed from the set (by emailing hello@pullguard.dev) or the customer upgrades to Enterprise. Existing repositories within the limit continue to scan at the full Team tier. Attempting to circumvent tier limits — for example by sharing license keys across organizations or using technical means to bypass online validation — constitutes a breach of these terms.
PullGuard is provided "as is" without warranty of any kind. PullGuard is a static analysis tool and does not guarantee the detection of all security vulnerabilities. It is not a substitute for manual security review, penetration testing, or compliance auditing. PullGuard shall not be liable for any damages arising from the use or inability to use the service, including but not limited to security breaches in scanned codebases.
PullGuard and its analyzers, detection patterns, scoring algorithms, and compiled artifacts are the intellectual property of PullGuard, licensed under the Business Source License 1.1 (BSL-1.1). The BSL-1.1 converts to Apache 2.0 on March 20, 2030. Your source code and analysis results remain your property at all times.
We may update these terms from time to time. Material changes will be communicated via email to active subscribers. Continued use of PullGuard after changes constitutes acceptance of the updated terms.
For questions about these terms: hello@pullguard.dev