§ docs · resources

Documentation,
the short kind.

Everything you need to install, configure, and get the most out of MergeWhy — from quick-start to air-gapped deployment.

read

Concepts

Start here. What MergeWhy is, what a Decision Evidence Record is, how the tamper-evidence chain works, and how Sigstore Rekor anchoring gives auditors a public proof they can verify without trusting us.

open section →

read

Build vs buy

Yes, you could build this yourself. Here is what we have learned the hard way about why most teams shouldn't — and the cases where DIY actually makes sense.

open section →

read

Getting started

Set up MergeWhy in under two minutes. Install the GitHub App, connect your repositories, and see evidence captured from your first PR merge.

open section →

read

Self-hosted deployment

Deploy MergeWhy on your own infrastructure with Docker Compose or Kubernetes Helm charts. OIDC authentication, S3-compatible storage, pluggable LLM.

open section →

read

Configuration

Complete reference for every environment variable — database, authentication, storage, LLM providers, GitHub, Jira, Slack, and more.

open section →

read

OIDC authentication

Configure single sign-on with Okta, Azure AD (Entra ID), Keycloak, Auth0, or any OIDC-compliant identity provider. Role mapping and single-tenant mode.

open section →

read

API reference

REST API for CI/CD attestations, pipeline runs, build artifacts, and deployment tracking. API key authentication and rate limits.

open section →

read

CI CLI

35+ commands for attestations, artifacts, environments, compliance gates, drift detection, and change forensics. Auto-detects 9 CI providers.

open section →

read

Client-side collector

Open-source Docker agent for defense and government environments. Evaluates evidence locally, signs attestations with Ed25519, pushes only structured results.

open section →

read