Every AI-generated code change. Reviewed. Logged. Audit-ready.

Tamper-proof governance for every pull request. Starts at $499/mo -- less than your Drata bill.

Judgment receipts for every PRDeploys as a GitHub ActionWorks with your existing pipeline
Request a demoSee a sample judgment receipt
SOC 2DORAHIPAAPCI DSSEU AI ActISO 27001

AI is writing your code. Who is proving it was reviewed?

Your engineering teams adopted AI code generation. Cursor, Copilot, Claude, and internal agents produce an increasing share of every deployment. Development velocity has never been higher.

But governance has not kept up.

When an auditor asks "show me the review trail for this deployment," your team produces a GitHub approval click -- a single button press with no evidence of what was actually evaluated. That is not governance. That is a checkbox.

When AI-generated code causes a data breach, a compliance failure, or a regulatory violation, the question will not be "did someone click Approve?" The question will be "can you prove the change was properly reviewed, by whom, and what they found?" If you cannot answer that question with structured, tamper-proof evidence, you have a liability gap.

Judgment receipts: structured proof that governance happened.

GuardSpine produces a signed evidence bundle for every code change that passes through your CI/CD pipeline. Each bundle contains:

Risk tier assigned
(L0-L4) based on file sensitivity and change scope
Models that reviewed
which AI models evaluated the change, identified by provider, model ID, and version
Independent findings
what each model found, categorized by severity
Cross-check results
whether models agreed or disagreed after anonymous review of each other's findings
Consensus decision
the final verdict (merge, conditions, or block) with agreement score
Hash chain
SHA-256 hashes linking every element. If any component is altered after the fact, the chain breaks and verification fails. Verify offline with guardspine-verify (open source).

Judgment Receipt

February 19, 2026 at 02:32 PM UTC

PR #47: Add user authentication middleware by sarah-eng in acme-corp/payments-api

Risk Assessment
L3
Review Panel
Claude Sonnet 4.5
Anthropic
Request Changes
GPT-4o
OpenAI
Approve
Gemini 2.5 Flash
Google
Findings
highMissing rate limiting on authentication endpoint

The /auth/login endpoint accepts unlimited requests per IP. An attacker could brute-force credentials without throttling. Add rate limiting middleware (e.g., express-rate-limit) with a maximum of 5 attempts per minute per IP.

src/routes/auth.ts:34
mediumSession token entropy below recommended threshold

Session tokens are generated using Math.random(), which is not cryptographically secure. Use crypto.randomBytes(32) or equivalent CSPRNG for session token generation.

src/middleware/session.ts:12
Consensus
CONDITIONS67% agreement (2 of 3 models)
claude-sonnet-4-5
gpt-4o
gemini-2-5-flash
Tamper-evident hash chain (SHA-256)
Prompt:a1b2c3d4e5f67890...abcdef01
Response:f0e1d2c3b4a59687...3c2d1e0f
Bundle:7c3e8f2a1b4d6e9f...89abcdef

Verify: any modification breaks the chain

Maps to the frameworks you are already audited against.

SOC 2

Evidence bundles satisfy CC6.1 (logical access), CC8.1 (change management), and CC7.2 (monitoring) control requirements.

DORA

Article 6a requires ICT change management controls for financial entities. GuardSpine produces the governance evidence.

HIPAA

Section 164.312(b) requires audit controls for information systems containing ePHI.

PCI DSS

PCI DSS v4.0 requires documented change control processes (Req 6.5.1) and code review of custom software (Req 6.2.3).

EU AI Act

Articles 9 and 17 require risk management and quality management for AI systems.

ISO 27001

Annex A.12.1.2 (change management) and A.14.2.2 (secure development policy) require documented change control.

GuardSpine does not replace your compliance platform. Vanta and Drata prove your infrastructure is configured correctly. GuardSpine proves your code changes were governed. They are complementary.

Your engineers install a GitHub Action. You get the dashboard.

For your engineering team:

  • One YAML file added to the repository
  • Reviews trigger automatically on every pull request
  • Models run in the pipeline using the team's own API keys (BYOK)
  • Results appear as PR comments -- no new tool to learn

For you:

  • Cloud dashboard with PR history, risk distribution, and finding trends
  • Slack notifications for high-risk findings and approval requests
  • Evidence management: search, filter, export (JSON + CSV) for audit prep
  • Audit log with 90-day retention (1-year on Team, 3-year on Org)

The adoption problem is solved by design. Your engineers do not need to learn a new tool or change their workflow. They add a YAML file and keep working the way they already work. You get structured evidence without creating organizational friction.

Share with your engineering team: guardspine.dev/dev

You should not trust a proprietary tool to audit your code.

The GuardSpine review engine is open source (MIT license). Every line of code that evaluates your pull requests, assigns risk tiers, runs model deliberation, and generates evidence bundles is publicly auditable.

This is a structural decision, not a marketing tactic. A governance tool that cannot be independently verified is asking you to trust the vendor's word that governance happened. That defeats the purpose. Open source means your security team, your auditors, or any third party can read the code and confirm it does what it claims.

The business is built on the platform layer above the engine: dashboard, integrations, compliance reporting, rubric management, and support. The engine is free and open. The platform is where the subscription lives.

GitHub: github.com/DNYoussef/codeguard-action172 automated testsMIT license

Starts at less than your Drata bill.

Most Popular

Starter

$399/mo
billed annually · $4,788/yr
  • Tamper-proof audit trail for every PR
  • Cloud dashboard with risk analytics
  • Slack alerts for findings and approvals
  • Evidence management (search, export)
  • Standard rubric library
  • Up to 10 repos, 25 contributors
  • Email support (48-hour SLA)
Request a demo

Team

$1,600/mo
billed annually · $19,200/yr
  • Everything in Starter, plus:
  • Custom governance rules (rubric builder)
  • Jira integration (tickets from findings)
  • Microsoft Teams notifications
  • Compliance report templates (SOC2, DORA, HIPAA)
  • Unlimited repos and contributors
  • Priority support (4-hour SLA)
Request a demo

Org

$10,000/mo
billed annually · $115,200/yr
  • Everything in Team, plus:
  • Multi-team RBAC
  • ServiceNow integration
  • SSO/SAML
  • Advanced compliance dashboards
  • Dedicated CSM
  • 3-year audit log retention
Request a demo

Enterprise

Custom
  • On-prem and air-gapped deployment
  • Custom integrations
  • 99.9% SLA
  • Compliance consulting
Contact us

All tiers include the same open-source review engine. Customers bring their own model API keys (BYOK) -- GuardSpine never touches your AI inference costs. Platform fee, not per-seat. Govern every PR from day one.

Common questions

See how GuardSpine produces audit-ready evidence for every code change.

By submitting, you agree to be contacted about your demo request.

Or explore on your own: