Automate
Compliance Evidence.
Ship Faster.
MergeWhy captures the “why” behind every code change at merge time — giving you tamper-proof, audit-ready evidence across 12 compliance frameworks, with zero engineering effort.
feat: add payment processing module
PR #847 · main ← feature/payments · merged 2 min ago
Evidence Score
Built for the world's most regulated engineering teams
Compliance is slowing you down — risk is piling up
Managing software delivery changes with manual processes causes delays, increases waste, and introduces risks. The bottleneck isn't CI/CD — it's manual evidence collection and approvals.
Every audit cycle, engineering teams scramble to reconstruct the "why" behind months of changes. MergeWhy eliminates that scramble entirely.
400+
hours / year
spent manually assembling change evidence for SOX ITGC audits
35%
error rate
in manually gathered compliance evidence across engineering teams
99%
not ready
of defense contractors unprepared for CMMC Level 2 certification
2026
deadline
OSCAL becomes mandatory for FedRAMP — zero agencies have submitted
How it works
Three steps. Zero effort.
Install the GitHub App. Engineers merge normally. Auditors get instant, tamper-proof evidence.
STEP 01
Install the GitHub App
One click. No configuration. MergeWhy connects to your repositories and starts listening for pull requests immediately.
→ Connected to 6 repositories
Listening for pull requests...
STEP 02
Engineers merge normally
No workflow changes. Every PR automatically gets a Decision Evidence Record — description, tickets, reviews, CI results, AI analysis.
DER created · Score: 92/100
STEP 03
Auditors get instant evidence
Evidence scored 0-100, compliance evaluated across 12 frameworks, and cryptographically sealed in the vault.
Vault sealed · SHA-256
Capture → Evaluate → Seal
Automated governance across your entire software delivery lifecycle. From code change to audit-ready evidence — zero manual steps.
Stage 01
Capture
Know what changed and why. Every PR automatically generates a Decision Evidence Record with full provenance.
Stage 02
Evaluate
AI analysis + compliance evaluation across 12 frameworks. Every control checked, every gap surfaced.
AI: Change introduces payment processing with proper error handling. Risk assessment: LOW. Audit summary generated.
Stage 03
Seal
Cryptographically sealed in the Evidence Vault. Immutable, tamper-evident, auditor-ready. Forever.
sha256:e3b0c44298fc1c14
9afbf4c8996fb92427
ae41e4649b934ca495
< 2s
End-to-end latency
0
Lines of config
100%
Fully automatic
SHA-256
Evidence integrity
Platform
Turn compliance into a competitive advantage
Everything auditors need, nothing engineers have to do. From evidence capture to audit-ready exports — fully automated.
Evidence Scoring
Every change scored 0-100 across 6 dimensions — automatically.
12 Compliance Frameworks
Every PR automatically evaluated against per-control requirements. No manual mapping needed.
SOC 2
42 controls
SOX ITGC
22 controls
HIPAA
18 controls
CMMC
110 controls
FedRAMP
325 controls
NIST
280 controls
ISO 27001
93 controls
PCI-DSS
12 controls
DORA
18 controls
GDPR
10 controls
SOX 404
8 controls
Custom
Evidence Vault
SHA-256 cryptographic sealing at merge time. Immutable, tamper-evident snapshots.
Vault sealed
Mar 15, 2026 · 14:32 UTC
sha256:a1b2c3d4e5f6...7890abcd
✓ Integrity verified · Tamper-proof
Audit Bundles & OSCAL
One-click ZIP packages, OSCAL 1.1.2 JSON, or AuditBoard CSV imports.
audit-bundle-q1-2026.zip
2.4 MB
ssp-fedramp.oscal.json
847 KB
sox-itgc-evidence.csv
128 KB
CI/CD Integration
CLI with 35+ commands. Deployment gates enforce evidence thresholds.
$ npx mergewhy-collector report
✓ Evidence score: 94/100
✓ SOC 2: PASS (42/42 controls)
✓ Vault sealed: sha256:a1b2...
→ Gate: PASS (min: 80)
Supported compliance frameworks
Ask anything about your compliance posture
MergeWhy's AI Knowledge Base understands your entire compliance history. Ask natural-language questions and get instant, evidence-backed answers.
"Which PRs failed SOX ITGC controls last quarter?"
Instantly surfaces non-compliant changes with evidence links
"Generate an audit summary for our SOC 2 review"
AI-written narratives backed by sealed vault evidence
"What's our CMMC SPRS score right now?"
Real-time scoring with control-by-control breakdown
Deployment
Deploy anywhere
SaaS, self-hosted, or air-gapped. Run MergeWhy wherever your compliance and data sovereignty requirements dictate.
SaaS Cloud
Fastest to start
Managed infrastructure with automatic updates. Sign up and start capturing evidence in minutes.
Webhooks
Cloud
UI
- Clerk SSO
- Managed PostgreSQL
- Auto-updates
- Zero infrastructure
Self-Hosted
Your infrastructure
Docker Compose or Kubernetes Helm chart. OIDC SSO with any IdP. Your data never leaves your environment.
$ docker compose up -d
✓ postgres: healthy
✓ mergewhy: running :3000
→ OIDC configured (Okta)
- OIDC / SAML SSO
- Helm chart + Docker Compose
- S3 or MinIO storage
- Bring your own LLM
Air-Gapped
Defense & government
Source code never leaves your network. A 479 KB agent evaluates evidence locally, signs attestations with Ed25519, and pushes only results.
Your Network
Code + Evidence
Ed25519
MergeWhy
Scores only
- Ed25519 attestation signing
- Data sovereignty guaranteed
- 479 KB single-binary agent
- SBOM + security attestations
SHA-256
Evidence Integrity
Cryptographic vault sealing
12
Frameworks
Compliance standards supported
35+
Dashboard Pages
Complete compliance platform
Open Source
Collector Agent
Inspect every line of code
Pricing
Pay per developer. Scale with your team.
Only pay for active developers who merge code. No per-repo fees. No framework surcharges.
Free
For developers evaluating compliance automation on personal projects.
- Up to 5 developers
- 3 repositories
- 1 compliance framework
- Evidence scoring & gaps
- Community support
Team
For startups building audit-ready evidence from day one.
- Unlimited repositories
- All 12 frameworks
- AI analysis (Claude)
- Evidence vault + sealing
- Audit bundle export
- Gap alerts (email + Slack)
- Email support
Business
For mid-market teams with regulatory requirements and audit deadlines.
- Everything in Team
- OSCAL 1.1.2 export (FedRAMP)
- SOX audit sampling
- AuditBoard CSV integration
- Cloud integrations (AWS/GCP/Azure)
- Outbound webhooks & API
- SSO (SAML / OIDC)
- Priority support + SLA
Enterprise
For regulated organizations with data sovereignty and compliance mandates.
- Everything in Business
- Self-hosted deployment
- Air-gapped collector agent
- Ed25519 attestation signing
- Bring your own LLM
- Dedicated success manager
- Custom SLAs & BAA
- Volume discounts (200+ devs)
Example: A 25-developer team on Business pays $1,175/mo — less than a single Vanta license.
Only active developers who merge PRs count toward your seat total. Bots, read-only users, and auditors are always free.
Ready to automate compliance evidence?
Install the GitHub App, merge your next PR, and see your first Decision Evidence Record in under two minutes.