Compliance Framework

SOC 2 Type II — continuously.

MergeGuide maps SOC 2 Trust Services Criteria to code-level controls, enforces them at every layer of your development workflow, and generates audit-ready evidence artifacts automatically — from first commit to final report.

The SOC 2 audit problem

SOC 2 Type II requires organizations to demonstrate that controls were operating continuously over the audit period — typically 6 to 12 months. The problem: most evidence collection happens at audit time, not continuously.

Engineers write code. Audits happen months later. By then, evidence is reconstructed from memory, logs are incomplete, and control gaps are discovered after the fact. The audit becomes an emergency cleanup project.

MergeGuide flips the model: SOC 2 controls are enforced at code creation time. Evidence accumulates automatically throughout the development cycle. When the auditor arrives, the evidence is already prepared — complete, signed, and mapped to TSC controls.

TSC coverage

MergeGuide templates cover all applicable Trust Services Criteria with code-level detection patterns:

CC6.1 Logical access CC6.2 Authentication CC6.3 Access removal CC6.6 External access CC6.7 Data at rest CC6.8 Malicious code CC7.1 Change management CC7.2 Configuration CC8.1 Change authorization A1.1 Availability C1.1 Confidentiality PI1.1 Processing integrity P3.1 Personal information

How MergeGuide enforces SOC 2

💻

IDE layer — write time

VS Code diagnostics flag CC6.1 (access control), CC6.7 (encryption), and CC6.8 (injection vulnerabilities) before a line is saved. Developers see the violation and the TSC control reference inline.

🤖

AI layer — generation time

When a developer asks their AI assistant to generate code, MergeGuide's MCP server injects the active SOC 2 policy set into the AI's context. The AI assistant won't generate code that violates your mapped controls.

🔒

Git + PR — commit time

Pre-commit hooks catch violations before they reach the remote. PR gates block merges. Each evaluation generates a signed evidence artifact mapped to the TSC controls evaluated.

Evidence that satisfies auditors

SOC 2 auditors require proof that controls operated continuously. MergeGuide evidence artifacts are purpose-built for this requirement.

Each artifact contains

  • Cryptographic commit hash (tamper-evident)
  • UTC timestamp with millisecond precision
  • Actor identity (who triggered evaluation)
  • Complete TSC control mapping for every policy evaluated
  • Pass / fail / exception disposition with justification
  • Cryptographic signature verified on every read

OSCAL SSP export

MergeGuide generates a complete OSCAL System Security Plan (SSP) from your evidence artifacts. The SSP maps your controls to NIST SP 800-53 and SOC 2 TSC, ready for direct submission to auditors or import into your GRC tool.

  • OSCAL-native format (not PDF)
  • Importable into Drata, Vanta, Tugboat Logic, and RegScale
  • Covers all evidence collected during audit period
  • Signed at export — tamper-proof for auditor delivery

Detection patterns for SOC 2

Selected examples of what MergeGuide catches. These patterns run on every commit, across all 13 supported languages.

TSC Control What MergeGuide Detects Severity
CC6.1Hardcoded credentials, secrets in source codeCritical
CC6.1Overprivileged IAM roles in IaC (wildcard permissions)High
CC6.2Disabled MFA in auth configurationHigh
CC6.7Unencrypted data at rest (S3 buckets, RDS without encryption)High
CC6.7TLS 1.0/1.1 protocol usageHigh
CC6.8SQL injection patterns (unparameterized queries)Critical
CC6.8Unsanitized user input in output renderingHigh
CC7.1Unreviewed dependency additions (no lockfile update)Medium
CC8.1Force push to protected branches in CI scriptsMedium

Ready to make SOC 2 continuous?

See how MergeGuide integrates into your development workflow and starts accumulating audit-ready evidence from day one.

Book a demo Get Started Free