Documentation Index
Fetch the complete documentation index at: https://docs.mergeguide.ai/llms.txt
Use this file to discover all available pages before exploring further.
Compliance Overview
MergeGuide maps your detection rules to compliance framework controls, tracks coverage over time, and exports evidence artifacts for auditors.
Supported Frameworks
24 frameworks across three categories:
Security Frameworks
| Framework | What It Covers |
|---|
| NIST SSDF | NIST Secure Software Development Framework — development lifecycle security practices |
| OWASP Top 10 | OWASP’s top 10 web application security risks |
| OWASP ASVS L1 | Application Security Verification Standard Level 1 — basic security controls |
| OWASP ASVS L2 | Application Security Verification Standard Level 2 — defense-in-depth controls |
| CWE Top 25 | MITRE Common Weakness Enumeration — most dangerous software weaknesses |
| CIS Controls | Center for Internet Security — prioritized security actions |
| SLSA | Supply chain Levels for Software Artifacts — build integrity and provenance |
Regulatory Compliance
| Framework | Applicable To |
|---|
| SOC 2 | Service organizations handling customer data |
| HIPAA | Healthcare organizations and business associates |
| PCI-DSS | Organizations handling payment card data |
| ISO 27001 | International information security management standard |
| GDPR | EU data protection regulation |
| FedRAMP | US federal government cloud services |
| StateRAMP | US state government cloud services |
Industry-Specific
| Framework | Applicable To |
|---|
| NYDFS 23 NYCRR Part 500 | New York financial services cybersecurity |
| CMMC 2.0 Level 2 | US defense contractors |
| NIST AI Risk Management Framework | AI system governance |
| HITRUST CSF v11 | Healthcare information security |
| FFIEC D&A Booklet | US financial institution examination |
| OWASP Top 10 for Agentic Applications | AI agent security |
Emerging Regulations
| Framework | Effective |
|---|
| EU AI Act | EU regulation on artificial intelligence systems |
| DORA | EU Digital Operational Resilience Act (financial sector) |
| NIS2 | EU Network and Information Security Directive 2 |
| Colorado AI Act | US state AI regulation — SB 24-205 |
How Coverage Works
Each detection rule is mapped to one or more framework controls. When a policy evaluates code and produces a result — pass or fail — that result becomes compliance evidence.
Example mapping:
no-hardcoded-secrets → SOC 2 CC6.1, NIST SSDF PW.9.1, PCI-DSS 6.3.2, HIPAA §164.312(a)(2)(iv)
The dashboard shows coverage percentage: what fraction of the framework’s controls are covered by at least one active MergeGuide policy.
Framework Templates
Each supported framework has a policy template — a curated set of policies pre-mapped to the framework’s controls. Enable a template to instantly cover that framework:
- Go to Compliance > Frameworks
- Select a framework
- Click Enable Template
- Review the policies that will be activated
- Confirm
Templates can be customized. You can add additional policies or adjust severity levels after enabling.
Feature Availability by Plan
| Feature | Free | Pro | Team | Business | Enterprise |
|---|
| OWASP Top 10, CWE Top 25 | ✓ | ✓ | ✓ | ✓ | ✓ |
| OWASP ASVS, PCI-DSS, CIS Controls, OWASP Agentic Apps | — | — | ✓ | ✓ | ✓ |
| SOC 2, HIPAA, EU AI Act, GDPR, NIST SSDF, DORA, ISO 27001 | — | — | — | ✓ | ✓ |
| NYDFS Part 500, CMMC 2.0, NIST AI RMF, HITRUST, FFIEC | — | — | — | ✓ | ✓ |
| NIST SP 800-53, SLSA v1.0, FedRAMP, StateRAMP, NIS2, Colorado AI Act | — | — | — | — | ✓ |
| OSCAL export | — | — | — | ✓ | ✓ |
| SAML 2.0 SSO / OIDC | — | — | ✓ | ✓ | ✓ |
| SCIM v2 provisioning | — | — | — | ✓ | ✓ |
| OSCAL webhooks (automated GRC delivery) | — | — | — | — | ✓ |
| SBOM (CycloneDX / SPDX) | — | — | ✓ | ✓ | ✓ |
| PolicyMerge | — | — | ✓ | ✓ | ✓ |
| Bypass rate tracking | ✓ | ✓ | ✓ | ✓ | ✓ |
| Immutable evidence trail | — | — | — | ✓ | ✓ |
Evidence Generation
MergeGuide generates compliance evidence in two formats.
NIST OSCAL v1.1.2
The machine-readable standard for compliance documentation. OSCAL output includes:
- 24 custom assessment catalogs (one per mapped framework)
- Assessment results linking each control to policy evaluation data
- Plan of Actions and Milestones (POA&M) for violations
OSCAL files can be imported directly into GRC platforms: Drata, Vanta, Secureframe, Tugboat Logic, RegScale, and any OSCAL-compatible tool.
Export: Dashboard > Compliance > Export > OSCAL
API:
curl -X POST https://api.mergeguide.ai/v1/compliance/reports \
-H "Authorization: Bearer $MERGEGUIDE_API_KEY" \
-d '{"frameworks": ["soc2", "hipaa"], "format": "oscal", "date_range": {"start": "2026-01-01", "end": "2026-03-31"}}'
CSV / PDF
For human-readable audit evidence:
Export: Dashboard > Compliance > Export > CSV or PDF
PolicyMerge
When multiple frameworks are active, PolicyMerge deconflicts overlapping requirements:
- Identifies controls that appear in multiple frameworks
- Applies strictest-wins resolution when frameworks have conflicting requirements
- Visualizes overlap in the dashboard
- Generates merged assessments covering all active frameworks in a single report
Without PolicyMerge, enabling SOC 2 + ISO 27001 + HIPAA could trigger duplicate alerts for the same code pattern across three frameworks. PolicyMerge collapses these into a single finding mapped to all three frameworks.
Bypass Rate as Compliance Evidence
Every policy override — when a developer bypasses a failing check — is logged automatically. Bypass rate tracking serves as evidence for:
- SOC 2 CC6.1 (logical access control monitoring)
- NIST SSDF RV.1.3 (tracking and remediation)
- ISO 27001 A.12.6.1 (management of technical vulnerabilities)
Dashboard: Compliance > Bypass Rate
