MergeWhy
The Change Evidence Platform

Auditors ask why.
MergeWhy has the answer.

Every pull request merge automatically captures tamper-proof evidence for SOC 2, SOX, HIPAA, CMMC, FedRAMP, and 7 more frameworks. Zero effort from engineers. Instant answers for auditors.

Install GitHub App — FreeLive Demo

Decision Evidence Record

PR #847 — Add payment retry logic

87/100
Description quality
Jira ticket linked
Code review approved
CI tests passing
Security scan clean
AI risk assessment
Coverage threshold
SOC 2 PASSSOX PASSHIPAA PASS
Vault sealed · SHA-256 · Immutable

Built for engineering teams shipping compliant software

Series B+ StartupsPublic CompaniesDefense ContractorsHealthcare OrgsFintechs

400+

Hours saved per audit cycle

12

Compliance frameworks

0-100

Evidence score per merge

<2min

Evidence capture per PR

The problem

Compliance is killing engineering velocity

Every merge triggers a documentation scramble. Engineers screenshot CI runs, copy-paste Jira links into spreadsheets, and chase reviewers for sign-off. Auditors still find gaps months later. MergeWhy captures everything automatically, the moment code merges.

Engineers waste hours on evidence collection instead of shipping
Manual evidence has 35% error rates
Auditors spend weeks requesting missing documentation
Evidence is scattered across GitHub, Jira, Slack, and spreadsheets

400+

Hours per year spent on manual SOX ITGC evidence collection

Source: Screenata

35%

Error rate in manually assembled SOC 2 evidence packages

Source: CyberSierra

99%

Of defense contractors not ready for CMMC certification

Source: CMMC.com

Sept 2026

OSCAL becomes mandatory for FedRAMP submissions

Source: Platform28

How it works

Three steps. Zero config. Instant compliance.

STEP 01

Install the GitHub App

One-click install on your GitHub org. MergeWhy begins listening to pull request events immediately. Works with GitLab too. No config files, no CI pipeline changes.

STEP 02

Engineers merge normally

Every PR merge captures description quality, ticket links, code reviews, CI results, security scans, and deployment data into a Decision Evidence Record (DER) scored 0-100.

STEP 03

Auditors get instant evidence

Compliance evaluations run automatically across 12 frameworks. Evidence is sealed in a cryptographic vault with SHA-256 hashes. Export audit bundles, OSCAL packages, or AuditBoard CSVs.

CI/CD integration

One line in your pipeline. Full compliance report.

Add a single step to any CI provider. MergeWhy evaluates evidence, scores compliance across your frameworks, and reports gaps — all before merge.

GitHub Actions.github/workflows/ci.yml

# Add to your CI workflow

- name: MergeWhy Evidence Report

run: npx mergewhy-collector report --framework=soc2,sox-itgc

GitLab CI.gitlab-ci.yml

mergewhy:

stage: test

script: npx mergewhy-collector report --framework=soc2

Also works with Jenkins, CircleCI, Azure Pipelines, Bitbucket Pipelines, TeamCity, and any shell-based CI.

mergewhy-collector report

$ npx mergewhy-collector report --framework=soc2,sox-itgc

MergeWhy Evidence Report · PR #847 · acme/payments

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Evidence Score: 87 / 100

Description: Clear rationale (20/20)

Ticket Links: PAY-1847 linked (15/15)

Code Reviews: 2 approvals (15/15)

CI/CD Evidence: 847 tests pass (22/25)

AI Assessment: Low risk (12/15)

Gap Resolution: ! 1 unresolved (3/10)

────────────────────────────────────────────────────

Compliance:

SOC 2 Type II PASS CC6.1 ✓ CC6.6 ✓ CC7.1 ✓ CC8.1 ✓

SOX ITGC PASS BAI06.01 ✓ BAI06.04 ✓ BAI07.01 ✓

────────────────────────────────────────────────────

Gaps (1):

MEDIUM Coverage below 80% threshold (78.2%)

────────────────────────────────────────────────────

Vault: SHA-256 sealed

Attestation: Ed25519 signed

✓ Report complete. Evidence captured and attested.

The Decision Evidence Record

Every merge, fully documented

Each pull request generates a comprehensive evidence record — scored, evaluated against compliance frameworks, and sealed in a tamper-proof vault.

92/100

PR #1204 · acme/payments · Merged 2h ago

Implement PCI tokenization for card storage

by @sarah.chen · 4 files changed · +287 -42 lines

Description quality
20/20
Jira ticket PAY-1847
15/15
2 approving reviews
15/15
CI: 847 tests, 0 vulns, Snyk clean
25/25
AI risk assessment
12/15
Code coverage: 78%
5/10
SOC 2 PASSSOX ITGC PASSHIPAA PASSPCI-DSS PASSCMMC L2 WARN
Vault sealed · SHA-256: a7f3c9e2d1b4... · Immutable evidence snapshot

Evidence scoring

Every PR scored 0-100 on real evidence

Not a vanity metric. Each factor maps directly to what auditors look for during SOC 2 and SOX examinations.

20 pts

Description Quality

Is there a clear rationale for why this change was made? Auditors need documented intent.

15 pts

Ticket Links

Jira, Linear, or GitHub Issues linked. Proves the change was authorized and tracked.

15 pts

Code Reviews

Peer reviews and approvals. Segregation of duties — the author didn't approve their own change.

25 pts

CI/CD Evidence

Tests passing, security scans clean, coverage thresholds met. The largest weight because it's the hardest to fake.

15 pts

AI Assessment

Claude AI evaluates documentation quality, detects scope creep, and flags risk. No LLM? Rule-based fallback.

10 pts

Gap Resolution

Were identified evidence gaps resolved before merge? Shows a culture of compliance.

Proactive gap detection

Find evidence gaps before auditors do

MergeWhy automatically detects 9 types of evidence gaps at merge time and alerts your team via email, Slack, or GitHub Check — before the audit, not during it.

Missing descriptionHIGH
No ticket linkedMEDIUM
Missing code reviewHIGH
No approvalCRITICAL
Failed CI checksCRITICAL
No testing evidenceHIGH
Missing security scanMEDIUM
Insufficient contextMEDIUM
Unsigned artifactLOW

Real-time alerts

Email, Slack, and in-app notifications when gaps are detected. Configurable rules by severity, framework, and repository.

GitHub Check integration

MergeWhy posts evidence scores and gap details directly on your pull requests. Engineers see compliance status before merging.

Team dashboard

Track evidence scores over time. See which repos and engineers need attention. Audit readiness at a glance.

Compliance frameworks

12 frameworks. Per-control evaluation. Every merge.

Each framework has deep per-control evaluation logic — not just checkbox compliance. MergeWhy maps your evidence directly to the controls auditors test.

SOC 2 Type II

CC series

Trust Services Criteria. Change management, access control, encryption.

SOX ITGC

22 COBIT controls

PCAOB AS 2201. Program change management, access, operations, SDLC.

HIPAA

Security Rule

ePHI safeguards. Access controls, audit controls, integrity, transmission.

CMMC L1-L3

17-119 controls

FAR 52.204-21 to NIST 800-171. SPRS scoring for DoD contractors.

FedRAMP

NIST 800-53

Federal cloud authorization. OSCAL 1.1.2 export for submission packages.

NIST 800-53

Full catalog

Federal information systems security controls. Comprehensive evaluation.

ISO 27001

Annex A

Information security management. Risk-based approach to change evidence.

DORA

ICT requirements

EU financial services digital resilience. ICT change management.

PCI-DSS

v4.0

Payment card data security. Change control, access, network security.

GDPR

Article 32

EU data protection. Security of processing, data integrity controls.

SOX 404

COSO framework

Internal controls over financial reporting. Management assessment.

SOC 1

SSAE 18

Service organization controls for financial reporting.

Cryptographic evidence vault

Sealed at merge time. Immutable forever.

When a PR merges, MergeWhy compiles all evidence into a VaultData package — PR metadata, code changes, tickets, reviews, approvals, CI results, AI analysis, compliance evaluations — and seals it with a SHA-256 hash. The evidence cannot be modified after sealing.

Tamper detection

Re-hash stored data anytime to verify nothing has changed. Auditors can independently verify integrity.

Complete evidence chain

Every piece of evidence for every merge — description, tickets, reviews, CI, security scans, AI analysis — in one immutable package.

Audit-ready export

Download vault contents as JSON with integrity proofs. Exportable for external audit tools.

Vault #1204SEALED
PR metadata
Code diff snapshot
Ticket references (2)
Reviews & approvals (3)
CI/CD results
AI analysis
Compliance evaluations (5)
SHA-256: a7f3c9e2d1b4f6a8e3c5b7d9f1a3c5e7...

Evidence immutable after seal

Cannot be modified, deleted, or tampered with

AI-powered analysis

Claude AI reviews every merge

Three specialized AI functions evaluate each change. No API key? MergeWhy falls back to rule-based analysis — AI is optional, never required.

Risk Assessment

Claude Haiku

Evaluates documentation quality, intent alignment, and change risk. Flags unclear rationale or incomplete descriptions.

Output: Risk level + quality score

Audit Summary

Claude Sonnet

Generates audit-ready narrative summaries explaining what changed, why it changed, and what evidence supports it.

Output: Audit-ready narrative

Scope Creep Detection

Claude Haiku

Compares the stated intent against the actual code diff. Detects when changes go beyond what was described or approved.

Output: Scope alignment score

No vendor lock-in. Supports Anthropic Claude, OpenAI, self-hosted Ollama, or no AI at all. Pluggable LLM provider architecture.

Audit tools

Everything auditors need, ready to export

Audit Bundles

Generate ZIP packages with executive summary, compliance evaluations, control matrix CSV, DER evidence, policies, risks, waivers, and vault hashes. 5 framework-specific presets.

OSCAL 1.1.2 Export

Generate machine-readable OSCAL JSON for FedRAMP and NIST 800-53. System Security Plans, Assessment Results, and Plans of Action & Milestones.

SOX Audit Sampling

Stratified random sampling per PCAOB AS 2201. 4 strata (high-risk, emergency, weekend, standard). Seeded PRNG for reproducible samples.

SPRS Scoring

DoD Supplier Performance Risk System scoring for CMMC. Start at 110, subtract weighted deductions. Grades A-F, risk levels, full deduction breakdown.

AuditBoard Export

Generate AuditBoard-compatible CSV packages for SOX ITGC Visual Import. 3 CSVs: changes, control testing, evidence gaps. All 22 COBIT controls mapped.

External Auditor Portal

Read-only compliance portal for external auditors. Time-limited shareable links. Framework filter, evidence quality metrics, PDF export.

Integrations

Connects to your entire toolchain

Pull evidence from where your team already works. Source control, project management, communication, cloud infrastructure — all feeding into your compliance posture.

GitHub

GA

Source Control

GitHub App with webhook processing. PR events, reviews, CI checks, deployments.

GitLab

GA

Source Control

Full GitLab integration via OAuth. Merge requests, notes, pipelines, builds.

Jira

GA

Project Management

OAuth integration. Ticket enrichment and traceability for every change.

Slack

GA

Communication

Thread enrichment and real-time gap alert notifications.

AWS

GA

Cloud Infrastructure

CloudTrail, Config, GuardDuty, IAM MFA, S3 encryption, security groups, RDS.

GCP

GA

Cloud Infrastructure

IAM policies, audit logs, KMS encryption, VPC firewall, Security Command Center.

Azure

GA

Cloud Infrastructure

Entra ID MFA, storage encryption, NSGs, Activity Logs, Defender for Cloud.

Google Workspace

Beta

Identity

OAuth2 + Admin SDK for identity and access evidence.

CI/CD integration

One CLI. Every CI system. Zero config.

npx mergewhy auto-detects your CI provider, commit, repo, and PR — then records attestations, artifacts, and deployment gates automatically.

GitHub Actions.github/workflows/ci.yml

# Add after your test step

- name: Record test results

run: |

npx mergewhy attest \

--type TEST_RESULTS \

--name "Unit Tests" \

--passed

- name: Deployment gate

run: |

npx mergewhy gate \

--env production \

--min-score 80

GitLab CI.gitlab-ci.yml

evidence:

stage: test

script:

- npx mergewhy attest

--type SECURITY_SCAN

--name "Snyk"

--passed

deploy_gate:

stage: deploy

script:

- npx mergewhy gate

--env production

--min-score 80

JenkinsJenkinsfile

stage('Evidence') {

steps {

sh 'npx mergewhy attest \

--type TEST_RESULTS \

--name "Integration" \

--passed'

}

}

stage('Gate') {

steps {

sh 'npx mergewhy gate \

--env production \

--min-score 80'

}

}

mergewhy attest

Generic, JUnit, Snyk, SonarQube, Jira, PR verification

mergewhy artifact

SHA-256 fingerprinted build artifacts with provenance

mergewhy gate

Block deploys below your evidence score threshold

mergewhy snapshot

Docker, K8s, ECS, Lambda, S3, Azure, filesystem paths

mergewhy deploy

Record deployment events with environment tracking

mergewhy approve

Request, report, and verify deployment approvals

mergewhy trail

End-to-end delivery trails across your pipeline

mergewhy flow

Define and manage delivery flows with templates

mergewhy policy

Create and attach compliance policies to environments

mergewhy fingerprint

Calculate SHA-256 for files, directories, or images

mergewhy search

Find any artifact by fingerprint or commit SHA

mergewhy sbom

Submit SPDX or CycloneDX Software Bill of Materials

20 commands. 8 CI providers auto-detected. Also supports: CircleCI, Azure Pipelines, Bitbucket Pipelines, TeamCity, Travis CI.

Why MergeWhy

MergeWhy vs Kosli — head to head

Kosli raised $13.1M and counts Deutsche Bank as a customer. They track what changed. MergeWhy tracks why it changed — and evaluates compliance automatically.

FeatureMergeWhyKosli
Compliance Frameworks12 (SOC 2, SOX, CMMC, FedRAMP, HIPAA...)0
AI Change AnalysisClaude + OpenAI + Ollama
OSCAL Export (FedRAMP)
Self-hosted DeploymentDocker + K8sSaaS only
Runtime SnapshotsDocker, K8s, ECS, LambdaDocker, K8s
Deployment Gates
Evidence Scoring0-100 with breakdown
Audit Bundle ExportZIP + AuditBoard CSV
SOX Audit SamplingPCAOB AS 2201
Auto-capture from PRZero-configRequires CLI setup
PricingTransparent, self-serveCustom / opaque

Bottom line: Kosli tells you what changed. MergeWhy tells you why it changed, evaluates it against 12 compliance frameworks, and seals the evidence in a cryptographic vault — automatically.

Comparison based on publicly available documentation as of March 2026.

Runtime visibility

Know exactly what's running in every environment

Capture point-in-time snapshots of your running infrastructure across 8 environment types. See every container, image digest, and version — then diff between snapshots to detect drift.

Docker

containers, images, digests

Kubernetes

pods, namespaces, replicas

AWS ECS

tasks, services, definitions

AWS Lambda

functions, runtimes, SHA-256

AWS S3

buckets, objects, ETags

Azure

Web Apps, Function Apps

Filesystem

paths, hashes, manifests

Multi-path

config-driven batch scan

mergewhy snapshot

$ mergewhy snapshot docker --env production

Capturing running containers...

api-server sha256:a1b2c3d4 running

web-frontend sha256:e5f6a7b8 running

worker sha256:c9d0e1f2 running

redis sha256:34a5b6c7 running

✓ Snapshot captured: 4 artifacts in production

id: snap_8f2a4b1c

Diff vs previous snapshot:

+ web-frontend sha256:e5f6a7b8 (was: sha256:0102abcd)

~ worker sha256:c9d0e1f2 (was: sha256:3456efgh)

Governance

Policies, risks, vendors, and waivers

Complete governance layer beyond just code changes. Document policies, track risks, manage vendors, and handle compliance waivers — all tied to your evidence.

Policy Management

AI-powered policy drafting across 13 frameworks and 9 categories. Version tracking and compliance mapping.

Risk Register

Track and categorize risks with severity, likelihood, and mitigation plans. Linked to compliance controls.

Vendor Management

Full vendor CRUD with security assessments. Track third-party risk and compliance status.

Compliance Waivers

Formal waiver workflow with expiration dates, justification, and audit trail. Control-level exceptions.

Deploy your way

SaaS for speed, self-hosted for control, air-gapped for classified environments.

SaaS Cloud

Managed hosting with Clerk auth, automatic updates, and zero infrastructure overhead. Start in 2 minutes.

  • Clerk SSO
  • Automatic updates
  • Managed PostgreSQL
  • Zero ops

Self-Hosted

Docker Compose or Kubernetes Helm chart. Bring your own OIDC provider, S3 storage, and LLM.

  • Any OIDC provider
  • S3/MinIO storage
  • Ollama local AI
  • Helm chart included

Air-Gapped Collector

Client-side Docker agent runs inside your network. Source code never leaves. Ed25519 signed attestations pushed to MergeWhy.

  • Data sovereignty
  • Ed25519 signatures
  • 479 KB binary
  • K8s health probes

30+ dashboard pages

A complete compliance operating system

Home Dashboard

Audit readiness banner, evidence trends, repository leaderboard, activity sparkline.

Decision Evidence Records

Full DER list with search, filters, and detail pages showing every piece of evidence.

Repository Overview

Per-repo evidence scores, gap trends, and compliance status across all frameworks.

CI/CD Pipelines

Pipeline runs with step-by-step breakdown. Test, security, lint, build, deploy tracking.

Compliance Readiness

Cross-framework readiness overview. See your posture across all enabled frameworks.

Framework Control Detail

Per-control drill-down for any framework. See which DERs pass or fail each control.

FedRAMP Dashboard

NIST 800-53 control families with readiness scores and OSCAL export.

CMMC Assessment

Multi-level self-assessment wizard with SPRS scoring for DoD contractors.

SOX Sampling

Stratified random sampling for SOX ITGC audits. PCAOB AS 2201 methodology.

Evidence Vault

Browse sealed vaults. Verify integrity. Download evidence packages.

Audit Bundle Generator

Framework-specific ZIP packages with presets for SOC 2, SOX, CMMC, FedRAMP.

Control Testing

Execute and track control test results. Map tests to framework controls.

Audit Log

Complete activity timeline. Every action logged with user, timestamp, and details.

Reports & Analytics

Evidence trends, compliance scores over time, team performance metrics.

Settings & Integrations

5-tab settings: General, Compliance, Integrations, Notifications, Developer.

Knowledge Base

Ask questions in plain English

No more clicking through dashboards. Ask natural language questions about your DERs, policies, risks, compliance, vendors, and waivers. AI searches across 7 data sources and returns answers with source citations.

Show me all deploys without approval this month
Which PRs are missing ticket links?
What is our SOC 2 compliance status?
How many evidence gaps are unresolved?
Knowledge Base
Which frameworks are we failing?

You have 4 frameworks tracked. SOC 2 and HIPAA are passing with scores above 85%. CMMC L2 has 3 failing controls related to MFA enforcement. SOX ITGC is at 78% with 2 change management gaps.

compliance4 frameworks · 2 need attention
deployment-pipeline

$ curl -H "Authorization: Bearer $KEY" \

"https://mergewhy.com/api/v1/gate?min-score=80"

{

"allowed": true,

"averageScore": 87,

"criticalGaps": 0,

"vaultSealedPercent": 100,

"compliancePassPercent": 94

}

Deployment gate

Block non-compliant deploys

Add a single API call to your CI/CD pipeline. MergeWhy evaluates evidence scores, compliance status, and vault integrity before allowing deployment. Non-compliant changes are blocked automatically.

  • Minimum evidence score threshold (configurable 0-100)
  • Framework-specific compliance pass rate (SOC 2, SOX, etc.)
  • Critical gap blocking — zero tolerance for CRITICAL severity
  • Vault seal verification — ensure evidence is immutable before deploy
  • Works with GitHub Actions, GitLab CI, Jenkins, any CI/CD tool

Supply chain security

SBOM ingestion and software supply chain evidence

Ingest CycloneDX and SPDX SBOMs via API. MergeWhy extracts component counts, license distributions, and vulnerability summaries — linking them to the exact PR that introduced each dependency.

CycloneDX & SPDX

Native support for both industry-standard SBOM formats. Component-level license and vulnerability tracking.

Vulnerability Correlation

Critical and high vulnerabilities flagged automatically. Linked to the PR and DER that introduced the dependency.

Signed Attestations

Ed25519 signed build provenance. Every SBOM, test result, and security scan cryptographically attested.

Simple, transparent pricing

Start free. Upgrade when you're ready.

MonthlyAnnual Save 20%

Pilot

$0forever

For individual developers exploring compliance.

  • 3 repositories
  • 1 framework
  • Evidence scoring
  • Gap detection
  • Community support
Get Started Free

Starter

$239/mo

For small teams getting audit-ready.

  • 10 repositories
  • 3 frameworks
  • AI analysis
  • Evidence vault
  • Audit bundles
  • Email support
Start Free Trial
Popular

Growth

$799/mo

For scaling teams with multiple frameworks.

  • Unlimited repositories
  • All 12 frameworks
  • OSCAL export
  • SOX sampling
  • AuditBoard export
  • Cloud integrations (AWS/GCP/Azure)
  • Slack + Jira
  • Outbound webhooks
  • Priority support
Start Free Trial

Enterprise

Custom

For regulated enterprises and government.

  • Everything in Growth
  • Self-hosted deployment
  • Air-gapped collector
  • SSO / OIDC (Okta, Azure AD, Keycloak)
  • Dedicated support
  • Custom SLAs
  • On-prem training
Contact Sales

Ready to automate compliance evidence?

Stop assembling evidence manually. Start capturing it the moment code merges. 12 frameworks. Zero effort. Audit-ready from day one.

Install GitHub App — FreeTalk to Sales