23 compliance policies. 8 framework mappings. 100+ controls. Auto-remediation. Visual policy builder. Enterprise SSO. BuildGuard continuously enforces your policies and generates the evidence your auditors need.
// POLICY_LIBRARY
Every policy maps to real compliance framework controls. Each is evaluated automatically on every scan.
Detects containers configured to run as root, which increases the attack surface and violates least-privilege principles.
Ensures every repository has a CODEOWNERS file defining clear ownership and accountability for code changes.
Detects committed secrets and environment files that could lead to credential leakage and unauthorized access.
Validates that branch protection rules enforce PR reviews, admin enforcement, and stale review dismissal.
Enforces that the same individual cannot both author and approve changes to production code.
Ensures every repository has a CI/CD pipeline configured via GitHub Actions workflows.
Ensures every repository contains a LICENSE file defining legal terms for code usage and distribution.
Ensures every repository has a SECURITY.md file defining vulnerability disclosure and incident response procedures.
Ensures all GitHub Actions references use commit SHA pinning instead of mutable tags to prevent supply-chain attacks.
Ensures the default branch follows the standard naming convention (main) for consistency and governance.
Enforces that commits on the default branch are cryptographically signed, ensuring author identity verification.
Verifies that Dependabot is configured for automated dependency update alerts and security patches.
Ensures every repository has a README file providing documentation, purpose, and usage instructions.
Validates that GitHub Actions workflow permissions follow the principle of least privilege.
Ensures a pull request template exists to standardize change descriptions and review checklists.
Verifies that dependency vulnerability scanning is enabled to detect known CVEs in third-party packages.
Validates CI/CD pipeline configurations for security best practices including restricted runners and environment protections.
Ensures Software Bill of Materials generation is configured for supply chain transparency and vulnerability tracking.
Detects stale collaborators and over-permissioned access tokens that increase the risk of unauthorized changes.
Validates that repositories have proper visibility classification and that public/private governance policies are enforced.
Ensures force push is disabled on protected branches to prevent history rewriting and maintain audit integrity.
Verifies that organization audit logging is enabled with appropriate retention periods for compliance requirements.
Validates that two-factor authentication is required for all organization members to prevent unauthorized access.
// FRAMEWORK_MAPPING
Every policy maps to specific compliance framework controls. Show your auditors exactly which controls BuildGuard covers and where your gaps are.
Trust Services Criteria
Section 404 (ITGC)
Security & Privacy Controls
2022 Annex A Controls
Payment Card Industry
Moderate Baseline
v8 Implementation Groups
Security Rule Technical Safeguards
// HOW_IT_WORKS
BuildGuard connects to your GitHub org via GitHub App and scans every repository's configuration, files, and branch settings.
23 OPA/Rego policies evaluate each repository against security, governance, and compliance requirements.
Every finding is recorded in a PostgreSQL evidence ledger with full audit trail for compliance reporting.
Auto-remediation opens PRs to fix issues: adding CODEOWNERS files, fixing Dockerfiles to use non-root users.
Export compliance reports as PDF, HTML, or JSON with framework control mappings. View results on the web dashboard or hand directly to auditors.
// KEY_CAPABILITIES
Most tools only detect. BuildGuard opens pull requests to fix violations automatically — adding CODEOWNERS files, fixing Dockerfiles to run as non-root.
Every scan result is recorded in PostgreSQL with timestamps, policy IDs, severity, and remediation status. Built-in audit trail, not bolted on.
Built on Open Policy Agent. Write custom .rego policies and drop them into the scan loop. Extensible by design for compliance teams.
Real-time compliance metrics, org-wide scores, per-repo drill-down, and 30-day compliance trend lines. Built for GRC teams and engineering managers.
Slack webhook alerts and generic webhook support on scan completion. Configurable notification rules with full delivery tracking and logs.
Export PDF, HTML, and JSON reports mapped to SOC2, SOX, NIST, ISO 27001, PCI-DSS, FedRAMP, CIS, and HIPAA controls. Hand directly to auditors.
// FEBRUARY_2026
Visual policy creation, enterprise SSO, SIEM integration, and more.
Create compliance policies with drag-and-drop — no Rego code required. 5 sample templates included. Real-time Rego preview.
SAML 2.0 Single Sign-On with pre-configured support for Okta, Azure AD, and OneLogin. Enforce SSO for your entire organization.
Stream compliance events to Splunk (HEC), Datadog, or Elasticsearch. CEF and Syslog formats supported. Real-time event streaming.
Create API tokens with granular scopes (read:repos, write:scans, admin). Set expiration dates. Full token management UI.
Drag-and-drop to reorder policies. Enable/disable with one click. Customize severity levels per policy.
5-step wizard: Connect GitHub → Select Repos → Configure Policies → Done. Get compliant in minutes, not hours.
New framework mapping for CIS Controls v8. 20+ controls mapped to BuildGuard policies for security hardening.
New framework mapping for HIPAA Security Rule. Access control, audit controls, and integrity controls covered.
// PLATFORM_FEATURES
Beyond scanning — BuildGuard is a full compliance platform with multi-org support, RBAC, and policy lifecycle management.
Tenant isolation for multiple GitHub organizations with per-org configuration and policy overrides.
Role-based access control with admin, maintainer, and viewer roles for team-based governance.
Granular API tokens with scopes (read:repos, write:scans, admin), expiration dates, and full management UI.
Author and deploy custom OPA/Rego policies through the dashboard with version control.
30-day compliance history with daily snapshots and trend visualization per repo and org-wide.
Live progress tracking with per-repo status updates and scan history with full audit trail.
Full delivery tracking for Slack and webhook notifications with status, timestamps, and error details.
Draft, review, approve, and activate policies with version history and approval workflows.
// DEPLOYMENT
CLI, GitHub Action, Docker, or REST API. BuildGuard fits into your existing workflow.
// COVERAGE_MATRIX
Which frameworks does each policy satisfy? The reverse mapping for your compliance team.
| Policy | SOC2 | SOX | NIST | ISO | PCI | FedRAMP | CIS | HIPAA |
|---|---|---|---|---|---|---|---|---|
| POL-SEC-01 | CC7.1 | ITGC-01 | AC-6, CM-2 | A.9.2.3 | 2.2.1 | CM-2 | 4.1 | 164.312(c) |
| POL-GOV-02 | CC7.1 | ITGC-04 | CM-3, SI-7 | A.12.1.2 | 6.5.1 | SI-7 | 6.1 | — |
| POL-SEC-03 | CC6.1, CC7.2 | ITGC-02 | SC-28 | A.18.1.3 | 8.3.1 | SC-12 | 3.3 | 164.312(d) |
| POL-SEC-04 | CC6.1, CC8.1 | ITGC-01 | AC-2, CM-3 | A.9.2.3 | 6.5.1, 7.2.1 | CM-6 | 6.1 | 164.312(a) |
| POL-SOX-01 | CC6.2, CC8.1 | ITGC-03 | AC-3, AC-5 | A.12.1.2 | — | AC-5 | 6.1 | — |
| POL-SEC-05 | CC8.1 | — | CM-3 | — | — | — | 16.1 | — |
| POL-SEC-06 | — | — | — | A.18.1.3 | — | — | — | — |
| POL-GOV-03 | CC7.2 | — | SI-5 | — | — | — | — | — |
| POL-SEC-07 | — | — | SI-7 | — | 6.5.1 | — | 16.4 | 164.308(a)(5) |
| POL-GOV-04 | CC7.1 | — | CM-2 | — | — | — | 4.1 | — |
| POL-SEC-08 | CC6.6 | — | IA-5 | A.8.28 | — | IA-5 | — | 164.312(d) |
| POL-SEC-09 | CC7.1 | ITGC-05 | RA-5, SI-2 | A.12.6.1 | 6.2.4 | RA-5 | 7.1, 7.4 | — |
| POL-GOV-05 | — | — | SA-15 | A.5.9 | — | — | 2.1 | — |
| POL-SEC-10 | CC6.1 | ITGC-02 | AC-6 | A.9.4.1 | 7.2.1 | AC-6 | 6.1 | 164.312(a) |
| POL-GOV-06 | CC8.1 | ITGC-01 | CM-3 | A.14.2.2 | — | — | — | — |
| POL-SEC-11 | CC7.1, CC7.4 | ITGC-05 | RA-5, SI-2 | A.12.6.1 | 6.2.4, 11.3.1 | RA-5, SI-2 | 7.1, 7.4 | 164.308(a)(1) |
| POL-SEC-12 | CC8.1 | ITGC-01 | SA-11, CM-3 | A.8.25 | 6.5.1 | SA-11 | 16.1 | — |
| POL-SEC-13 | — | — | SR-4 | A.5.9 | 6.3.2 | SR-4 | 2.1 | — |
| POL-SEC-14 | CC6.1 | ITGC-01 | CM-3 | A.14.2.2 | 6.5.1 | CM-3 | 4.1 | 164.312(c) |
| POL-SEC-15 | CC6.1, CC6.6 | ITGC-02 | IA-2 | A.9.2.3 | 8.3.1 | IA-2 | 6.3, 6.5 | 164.312(d) |
| POL-GOV-07 | CC6.2, CC6.3 | ITGC-06 | AC-2 | A.9.2.3 | 7.2.1 | AC-2 | 5.1, 5.3 | 164.312(a) |
| POL-GOV-08 | CC6.1 | ITGC-02 | AC-3, SA-15 | A.8.9 | — | AC-3 | 1.1 | — |
| POL-GOV-09 | CC7.2 | ITGC-04 | AU-2, AU-6 | A.12.4.1 | 10.2 | AU-2 | 8.2 | 164.312(b) |
BuildGuard continuously enforces your policies and generates the evidence your auditors need.