MergeGuide
Product

Introducing MergeGuide: AI Velocity. Enterprise Governance.

ยท9 min read
Share

Today we're publicly launching MergeGuide โ€” the AI governance platform built for a development world where AI writes more code than humans.

MergeGuide exists because we believe organizations shouldn't have to choose between AI velocity and enterprise governance. That tradeoff is a false one, created by a tooling gap that no existing product addresses. Until now.

The Problem We Set Out to Solve

Enterprise software teams are adopting AI coding assistants at an extraordinary rate. GitHub Copilot, Claude, ChatGPT, Cursor โ€” these tools can generate code 10x faster than manual development. The productivity gains are real and significant.

The challenge is equally real: AI-generated code can contain security vulnerabilities, compliance violations, and risky patterns. And it's being produced faster than traditional security review processes can validate.

We saw engineering leaders caught between two unacceptable options: allow AI freely and accept the risk, or restrict AI and fall behind. MergeGuide is the third option โ€” governance that enables AI rather than restricting it.

What MergeGuide Does

MergeGuide validates every code change โ€” whether written by humans or AI โ€” against your organization's security and compliance policies. It works across four graduated layers, each shifting detection earlier in the development process for faster, cheaper remediation.

PolicyMesh โ€” 4-Layer Velocity EngineLAYER 1IDEReal-time feedbackas code is writtenWritingLAYER 2MCP (AI)Policies injectedbefore AI generatesGeneratingLAYER 3Git HooksPre-commit checkbefore saving to VCSCommittingLAYER 4PR GateServer-side checkbefore mergeMergingREMEDIATION TIMEFIX COST~10 seconds~30 seconds~5 minutes~2 hours$0 impact$0 impactLow impactReview cycle costEach layer shifts detection left โ€” fixing issues when they're cheapest to resolveEARLIER DETECTION = FASTER VELOCITY
Fixing a violation in the IDE takes 10 seconds. The same violation caught at PR Gate costs a full review cycle. PolicyMesh shifts remediation to the earliest, cheapest layer.

Layer 1: IDE โ€” Real-Time Feedback

MergeGuide's VS Code extension provides inline detection rule feedback as code is written. Vulnerabilities, secrets, and compliance violations appear as warnings directly in the editor โ€” like spell-check for security. Developers fix issues in seconds, while context is fresh.

Layer 2: MCP โ€” AI Policy Integration

This is where MergeGuide introduces a capability that is new to the market.

Through MCP (Model Context Protocol), MergeGuide injects your organization's detection rules, controls, and policies directly into AI assistants during code generation. Your AI assistant queries MergeGuide's policies before writing code. It knows which libraries are approved, which patterns are prohibited, and which compliance frameworks your organization follows.

The result: AI generates compliant code from the start. Prevention, not detection.

Layer 3: Git Hooks โ€” Pre-Commit Validation

Before code leaves the developer's machine, MergeGuide's pre-commit hooks run a final local check. Any detection rule violations that slipped past the first two layers are caught here. The developer fixes them immediately โ€” no code with known issues enters version control.

Layer 4: PR Gate โ€” Server-Side Enforcement

The authoritative last line of defense. MergeGuide's PR Gate runs server-side when code is submitted for review, ensuring nothing reaches production without validation. Every evaluation generates a tamper-evident, SHA-256 hashed evidence artifact for compliance documentation. Each artifact documents the policy evaluated, rules triggered, files scanned, violations found, remediation actions, and a cryptographic hash chain โ€” everything an auditor needs in a single, exportable record.

Who MergeGuide Is For

Engineering Leaders: Adopt AI coding assistants across all teams without building a new security review process. MergeGuide provides the governance automatically.

Security Leaders: Every AI contribution validated before merge, with complete visibility into what AI is generating and proof that it meets your standards.

Compliance Teams: Demonstrate to auditors that AI-assisted development operates within defined boundaries, with tamper-evident evidence for every code change.

Developers: Security feedback while you're still working on the code, when it's easy to fix. No more surprise blocking comments during review.

Built for Teams of Every Size

MergeGuide works whether you're a solo developer or a 500-person engineering organization. Start small, scale up โ€” the platform grows with you.

For individual developers: Install the VS Code extension, connect your repo, and get your first policy check in under 5 minutes. No sales call, no procurement process. The Free tier gives you full detection across all 739 rules.

For engineering organizations: Add compliance reporting, SSO, SCIM provisioning, and custom RBAC as your team grows. Dedicated support and custom retention policies for teams that need enterprise governance without enterprise friction.

Pricing That Scales With You

TierPriceDescription
Free$0Individual devs evaluating MergeGuide
Pro$29/moGit hooks + priority support
Team$39/seatShared policy management (2-9 seats)
BusinessContact SalesCustom policies + compliance reports (10-49 seats) โ€” transparent pricing, fast onboarding
EnterpriseContact SalesSSO, SCIM, custom RBAC, 730-day retention (custom up to 10 years)

What's Under the Hood

MergeGuide ships with 739 detection rules across 15+ programming languages, covering the vulnerabilities, secrets, and compliance violations most commonly introduced by AI coding assistants.

CapabilityDetail
Detection rules739 rules across 15+ languages (JavaScript, TypeScript, Python, Go, Java, and more)
Framework coverage18+ compliance framework templates including NIST SSDF, OWASP ASVS, CIS Controls, SLSA, and more โ€” comprehensive coverage of code-development-relevant controls
Regulatory mapping18+ frameworks including SOC 2, HIPAA, PCI-DSS, EU AI Act, and more
Evidence artifactsSHA-256 hashed, timestamped, tamper-evident
IntegrationsVS Code, Claude (MCP), GitHub, GitLab, Bitbucket, and Azure DevOps, CI/CD integration
Time to first checkUnder 5 minutes

Security & Privacy

MergeGuide is designed with enterprise security requirements in mind. The VS Code extension and Git hooks run locally โ€” your code never leaves your machine for these layers. The PR Gate Lambda processes code server-side within your AWS environment. MergeGuide does not store your source code. Evidence artifacts are written to your own S3 bucket with customer-managed encryption keys. For organizations requiring additional assurance, contact us about our security architecture documentation and compliance posture.

The Vision

AI-assisted development is the most significant shift in software engineering since open source. It's happening whether organizations are ready or not. The question isn't whether to adopt AI โ€” it's how to adopt AI responsibly.

MergeGuide's vision is to be the governance layer that makes this transition safe. We want every AI coding assistant to know your organization's policies before writing code. We want compliance evidence generated as a byproduct of development, not a separate workstream. We want governance that developers actually use because it makes their work better, not slower.

That's what we're building. And it starts today.

Ready to govern AI-generated code?

MergeGuide embeds policy enforcement into the tools developers already use. Start free in under five minutes.
Get Started FreeRead the Docs
CM

Chuck McWhirter

Founder & CEO, MergeGuide

Cybersecurity veteran with nearly three decades of experience spanning malware analysis, application security, and security operations. U.S. Air Force veteran (Air Force CERT), CISSP since 2000. Previously led solutions architecture teams at ReversingLabs, McAfee, and ArcSight. Founded MergeGuide to solve the governance gap created by AI-assisted development.