v4.5 · Signed evidence chain · OSCAL native · Public Rekor · CLI + SDK

Audit evidence at merge time,
not audit time.

MergeWhy captures cryptographic evidence from every pull request — reviews, CI, tickets, deploys — into a tamper-evident chain anchored to Sigstore's public transparency log. Your auditor verifies without trusting us. Your engineers stop hunting for screenshots.

Install GitHub App Book a 15-min demo →

Read-only GitHub scopes·Works alongside your existing compliance stack·Self-hosted available

app.mergewhy.com / evidence

live✓ verified

Evidence

◈Evidence feed

⊟Records

⊞Pipelines

◇Attestations

Lineage

↗Flows

≡Trails

⌬Vault

Compliance

▣Frameworks

◎Audits

⊕Integrations

Evidence Feed

anvil/pay · main

9f2c8a4dAdd retry policy to payments webhook dispa...

a81de103Gate CSV export behind feature flag

52fe9b07Bump libsodium to 1.0.20 + CVE fix

SELECTED RECORDDER-01 · 9f2c8a4d

COMMIT

9f2c8a4d

author · signed

run #812,411

sast · sca · 412/412

REVIEW

2 approvals

no self-approve

zsh — mergewhy install

$ mergewhy install --org anvil/

GitHub App authorized ✓

THE CHAIN

Click any container.
See the chain back to the PR.
Verify against Sigstore Rekor.

Every binary running in production has a signed, unbroken chain back to the PR that created it, the human who approved it, the tests that passed, and the controls it satisfies. Auditors with zero MergeWhy account verify against the public log in one command.

Artifact → PR → reviewer → tests → vault → Rekor — every link Ed25519-signed
Runtime drift detection — unauthorized digests trigger alerts within 15 min
Public verifiable— auditor doesn't have to trust MergeWhy, only Rekor + Ed25519 math

# auditor laptop · zero MergeWhy account · zero auth
$ npx mergewhy verify-chain a1b2c3d --org=acme
✓ Chain intact for commit a1b2c3d
  Repo:     acme/payments-api
  Anchored:  2026-05-09T00:36:18Z
  Rekor:     log index 1398873504
  Verifier:  ed25519 OK · fingerprint b898a220
# trust chain: Rekor (public log) + Ed25519 (RFC 8032)
# auditor doesn't have to trust MergeWhy

Works withGitHubGitLabJiraLinearAWSGoogle CloudAzureDatadogSnykOkta

400+

Engineering hours saved per SOX audit cycle

Compliance frameworks evaluated at every merge

30s

GitHub App install to first evidence record

3,360

Automated tests passing in CI right now

01 · The problem

Evidence gaps are audit failures waiting to happen.

Screenshots, self-attestations, and policy binders are already failing. Cryptographic evidence captured at merge time is the only thing auditors actually trust.

400+

Engineering hours per SOX cycle

Teams spend entire quarters taking screenshots, exporting Jira tickets, and assembling evidence binders — instead of shipping features.

35%

SOC 2 packages contain material errors

35% of SOC 2 evidence packages arrive at auditors with errors. Auditors spot-check samples, not systems.

494

Fabricated compliance audits exposed in 2026

A $32M YC-backed compliance tool was caught fabricating audit evidence for major tech companies. A PNG of a checkmark is not evidence.

99%

Defence contractors not CMMC-ready

CMMC enforcement is live. 80,000+ DoD contractors must verify 110 NIST 800-171 controls. 99% are not ready. Primes will fail DFARS.

Auditor trust stack

Five things your auditor can verify without trusting us.

Tamper-evidence, public anchoring, and auditor-controlled sampling are usually three different vendors. MergeWhy ships them in one GitHub App.

Cryptographic chain

Tamper-evident audit log

Every audit row links to the prior via SHA-256. Altered, deleted, or out-of-order rows surface in the verifier instantly.

SHA-256 · Ed25519ph

Public anchor

Anchored to Sigstore Rekor

Chain head signed and submitted to the public transparency log. Auditors verify inclusion without ever trusting MergeWhy.

rekor.sigstore.dev

PCAOB AS 2315

Auditor-controlled sampling

Your audit firm pulls a stratified random sample directly from the auditor portal. We can't pre-pick which changes they review.

Seeded · reproducible

Compensating controls

Named substitutes for missing primary controls

Define the substitute control your auditor will accept. Apply it to a gap, attest the evidence, get an immutable record.

SOC 2 CC8.1 · SOX BAI06

Segregation of duties

Author / Reviewer / Approver / Deployer matrix

Cross-role overlap detection on every change. Author-also-deploys is flagged with citations to SOC 2 CC6.1 and SOX ITGC.

ISO 27001 A.8.32

LIVELatest production chain head publicly anchored:Rekor entry #1398873504 →

02 · How it works

Three steps. Then it runs quietly, forever.

MergeWhy sits downstream of your existing flow. Engineers never see it. Compliance teams see everything.

Install

One-click GitHub App (GitLab + Bitbucket Q3). Read-only scopes on PR metadata, check runs, review events. SAML/SSO ready.

30s · org-level auth

Merge

Engineers merge as normal. MergeWhy captures the full context at merge time and emits a signed evidence record. No pipeline changes, no CI latency.

0ms added to CI

Prove

Export OSCAL / CSV, or grant auditors read-only portal access. Each record is SHA-256 hashed and ed25519 signed — independently verifiable.

SOC 2 · SOX · FedRAMP

Flow · how it runs

From merge to auditor-ready, in one continuous chain.

Every change flows through five automated stages. No manual screenshots. No end-of-quarter fire drill.

Zero engineering work. No pipeline changes, no CI latency.

Immutable at the moment of merge. Not reconstructed after the fact.

Every stage is independently verifiable — hash, signature, and source.

03 · What we capture

Six signals, one signed record.

Each record is a Merkle-linked bundle. Change a byte after the fact and the signature breaks.

PR intent

Title, description, linked tickets. What changed and why.

#4,217 feat/retry-policy

Review & SoD

Approvals, self-approve detection, reviewer identity.

review.approved=2

Ticket linkage

Jira, Linear, GitHub Issues — bound, not inferred.

JIRA PAY-8821

CI & coverage

Check runs, durations, artifacts, coverage delta.

ci.pass=412 cov=87.3

Security scans

Snyk, Semgrep, CodeQL — SAST/SCA/secrets at merge.

sast.ok sca.ok

Deploy attestation

Which commit reached which environment, when.

prod ← 9f2c8a4d

04 · The evidence chain

Every artifact, every environment, one trail.

When an auditor asks how a line of code reached prod, you hand over a chain — not a folder.

commit

9f2c8a4d

GPG ok
author signed

attest

build

ci #812,411

sast ok
sca ok
412/412

attest

staging

eu-staging-3

smoke ok
perf ok
approved

attest

prod

eu-prod-1

canary 10m ok
rollback ready
PAY-8821

chain: commit → build → staging → prod · 4 attestations · 1 trail verified · ed25519 · 4a7c…

Ask AI · auditor mode

Auditors type a question.
MergeWhy answers with evidence.

Grounded retrieval over your signed evidence vault. Every answer cites the underlying DER — PR, reviewer, CI run, ticket — so there's nothing to hallucinate and nothing to debate.

Natural-language queries across SOC 2, SOX, FedRAMP evidence
Citations back to signed DERs (no hallucination)
Read-only auditor access via scoped portal tokens

mergewhy · ask-ai · auditor

Show me change #4821 — who approved the production deploy and when?

PR #4821 merged 2026-04-18 14:22 UTC. Reviewed & approved by @s.chen (Staff Eng). Author was @m.patel — separation of duties: PASS. Linked to Jira FIN-7732.

// evidence cited { "der_id": "der_01HQ...8j4", "vault_hash": "3f4a...c29e", "signed_by": "ed25519:mergewhy-prod", "controls": ["CC8.1", "CC6.1"] }

List every emergency change in Q1 without a retroactive ticket.

Found 3 emergency mergesin Q1 without retroactive tickets. All 3 flagged SOX-CM-2 (unauthorized change). Generating POA&M draft.

// matched DERs der_01HQ...2p8 · 2026-02-11 · repo:payments-api der_01HQ...9r1 · 2026-02-24 · repo:billing-svc der_01HQ...4v7 · 2026-03-07 · repo:ledger

Frameworks

One evidence layer. Twelve frameworks.

Capture once, map anywhere. Every framework card shows the specific articles and controls MergeWhy evaluates on your merges.

SOC 2

ready

Articles supported

CC6.1CC6.6CC7.2CC8.1CM-3

SOX 404

ready

Articles supported

ITGC-ChangeITGC-AccessITGC-OpsCM-2CM-3

ISO 27001

ready

Articles supported

A.5.23A.8.15A.8.32A.8.33

HIPAA

ready

Articles supported

§164.308(a)(1)§164.312(a)§164.312(b)§164.312(c)

GDPR

ready

Articles supported

Art. 25Art. 30Art. 32

PCI-DSS

ready

Articles supported

Req 6.3Req 6.4Req 10.2Req 10.3

FedRAMP

in track

Articles supported

CM-3CM-4CM-5AU-2AU-12

CMMC L1-3

in track

Articles supported

CM.L2-3.4.1CM.L2-3.4.3CM.L2-3.4.5AU.L2-3.3.1

NIST 800-53

ready

Articles supported

CM-3CM-4CM-5AU-2AU-12

DORA

ready

Articles supported

Art. 8Art. 9Art. 10

ISO 42001

Q3 2026

Articles supported

A.6.2.6A.8.3A.8.4

EU AI Act

Q4 2026

Articles supported

Art. 9Art. 12Art. 15

Integrations

Works with the tools you already run.

See all integrations

GitHub

GitLab

Bitbucket

Jira

Linear

Snyk

semgrep

CodeQL

Datadog

PagerDuty

Okta

AWS

Google Cloud

Vault

FOR PLATFORM ENGINEERS

CLI. SDK. Terraform. OpenAPI.
Configure as code, ship in minutes.

No procurement-review surprises. Every surface is open, documented, and scriptable. Wire MergeWhy into your stack in under an hour.

npm install -g mergewhy-collector

The mergewhy CLI

10+ commands: login, attest, ders, bundles, oscal, waivers, verify-chain, auditor-sample, compensating-control, sync.

npm install @mergewhy/sdk

TypeScript SDK

7KB single-file ESM+CJS. Zero runtime deps. Typed MergeWhyClient + ApiError. Custom-fetch injection.

GET /api/v1/openapi.json

OpenAPI 3.1 + Swagger UI

Codegen-ready spec covering 19+ public operations. Try-it-out playground at /api/v1/docs.

terraform-provider-mergewhy

Terraform provider

Manage frameworks, repos, webhooks, waivers as IaC. Go-based provider; ready for registry.terraform.io.

Copy-paste CI recipes:GitHub ActionsJenkinsCircleCIGitLab CITektonBuildkite

Continuous Control Monitoring

Per-event control evaluation. Not daily polling.

Most compliance tools snapshot your cloud posture once a day and call it monitoring. MergeWhy evaluates every code change against every enabled framework at the exact moment it merges — and gives each control an uptime % so auditors can see "this control passed 99.4% of changes in Q1" instead of a static checkmark.

Per-event

Every merged PR triggers control evaluation — not a nightly cron, not a once-a-week posture scan.

Frameworks evaluated continuously: SOC 2, SOX ITGC, HIPAA, ISO 27001, NIST 800-53, FedRAMP, CMMC, PCI-DSS, more.

Uptime %

We track control uptime the same way you track service uptime: passing checks ÷ total checks, surfaced per control.

Why MergeWhy

Evidence that survives a real audit.

	Screenshot GRC legacy SaaS	Spreadsheets folder of PNGs
Cryptographic proof
Merge-time capture
OSCAL export
Tamper detection		manual
Self-hosted option
SOX sampling engine	partial
Evidence reproducibility		manual

Deployment

Hosted, or entirely inside your perimeter.

Default Managed

SaaS

We host. 30-second install. US or EU data residency, 99.9% SLA on evidence capture.

GitHub App, read-only scopes
Regional data residency (US/EU)
Append-only vault with hourly signed rollups
99.9% SLA on evidence capture

Regulated · defence air-gap ready

Self-hosted

Runs inside your VPC. Docker Compose, Kubernetes Helm, or Nomad. Source never leaves your network.

Docker Compose / Kubernetes Helm / Nomad
Air-gapped mode, offline licence
BYO KMS: Vault, AWS KMS, GCP KMS
FedRAMP High reference architecture

Pricing

Four ways in. No seat fees. No evidence overages.

Try free, start with a founding-customer Sprint, or jump to a subscription. Every plan includes the same cryptographic evidence model.

Pilot

Free

3 repositories. All core capture. No credit card.

Install GitHub App

FOUNDING · 25 SEATS

Founding Sprint

$2,500one-time

14-day evidence sprint. We assemble 90 days of audit-ready evidence from your existing PRs. Sprint fee due on auditor sign-off. Lifetime price lock on subscription.

Apply for a founding seat

Growth

$999/ month

Unlimited repos. All twelve frameworks. Audit portal.

Start 14-day trial

Enterprise

Custom

Self-hosted. SSO, SCIM, custom frameworks, on-call.

Talk to the team

READY WHEN YOU ARE

Stop explaining to auditors.
Start showing them.

Install on a repo this afternoon. Hand over a signed evidence bundle next week.

Book a 15-min slot Install GitHub App

avg. time from install to first signed record · 4m 11s

Audit evidence at merge time,not audit time.

Click any container.See the chain back to the PR.Verify against Sigstore Rekor.

Evidence gaps are audit failures waiting to happen.

Engineering hours per SOX cycle

SOC 2 packages contain material errors

Fabricated compliance audits exposed in 2026

Defence contractors not CMMC-ready

Five things your auditor can verify without trusting us.

Tamper-evident audit log

Anchored to Sigstore Rekor

Auditor-controlled sampling

Named substitutes for missing primary controls

Author / Reviewer / Approver / Deployer matrix

Three steps. Then it runs quietly, forever.

Install

Merge

Prove

From merge to auditor-ready, in one continuous chain.

Six signals, one signed record.

PR intent

Review & SoD

Ticket linkage

CI & coverage

Security scans

Deploy attestation

Every artifact, every environment, one trail.

Auditors type a question.MergeWhy answers with evidence.

One evidence layer. Twelve frameworks.

Works with the tools you already run.

CLI. SDK. Terraform. OpenAPI.Configure as code, ship in minutes.

Per-event control evaluation. Not daily polling.

Evidence that survives a real audit.

Hosted, or entirely inside your perimeter.

SaaS

Self-hosted

Four ways in. No seat fees. No evidence overages.

Stop explaining to auditors.Start showing them.

Audit evidence at merge time,
not audit time.

Click any container.
See the chain back to the PR.
Verify against Sigstore Rekor.

Auditors type a question.
MergeWhy answers with evidence.

CLI. SDK. Terraform. OpenAPI.
Configure as code, ship in minutes.

Stop explaining to auditors.
Start showing them.