Every AI-generated code change. Reviewed. Logged. Audit-ready.

Tamper-proof governance for every pull request. Starts at $499/mo -- less than your Drata bill.

Judgment receipts for every PRDeploys as a GitHub ActionWorks with your existing pipeline
Request a demoSee a sample judgment receipt
Maps to 6 compliance frameworksEvidence verified offlineOpen-source engine on GitHub
SOC 2DORA (Roadmap)HIPAAPCI DSSEU AI Act (Roadmap)ISO 27001 (Roadmap)

Structured proof that governance happened.

Request a demo

AI is writing your code. Who is proving it was reviewed?

Your engineering teams adopted AI code generation. Cursor, Copilot, Claude, and internal agents produce an increasing share of every deployment. Development velocity has never been higher.

But governance has not kept up.

The governance gap

Every PR approved with a single click is a liability you cannot defend in an audit. GuardSpine closes that gap with structured, tamper-proof evidence on every merge.

When an auditor asks "show me the review trail for this deployment," your team produces a GitHub approval click -- a single button press with no evidence of what was actually evaluated. That is not governance. That is a checkbox.

When AI-generated code causes a data breach, a compliance failure, or a regulatory violation, the question will not be "did someone click Approve?" The question will be "can you prove the change was properly reviewed, by whom, and what they found?" If you cannot answer that question with structured, tamper-proof evidence, you have a liability gap.

Judgment receipts: structured proof that governance happened.

GuardSpine produces a signed evidence bundle for every code change that passes through your CI/CD pipeline. Each bundle contains:

Risk tier assigned
(L0-L4) based on file sensitivity and change scope
Models that reviewed
which AI models evaluated the change, identified by provider, model ID, and version
Independent findings
what each model found, categorized by severity
Cross-check results
whether models agreed or disagreed after anonymous review of each other's findings
Consensus decision
the final verdict (merge, conditions, or block) with agreement score
Hash chain
SHA-256 hashes linking every element. If any component is altered after the fact, the chain breaks and verification fails. Verify offline with guardspine-verify (open source).

Judgment Receipt

February 19, 2026 at 02:32 PM UTC

PR #47: Add user authentication middleware by sarah-eng in acme-corp/payments-api

Risk Assessment
L3
Review Panel
Claude Sonnet 4.5
Anthropic
Request Changes
GPT-4o
OpenAI
Approve
Gemini 2.5 Flash
Google
Findings
highMissing rate limiting on authentication endpoint

The /auth/login endpoint accepts unlimited requests per IP. An attacker could brute-force credentials without throttling. Add rate limiting middleware (e.g., express-rate-limit) with a maximum of 5 attempts per minute per IP.

src/routes/auth.ts:34
mediumSession token entropy below recommended threshold

Session tokens are generated using Math.random(), which is not cryptographically secure. Use crypto.randomBytes(32) or equivalent CSPRNG for session token generation.

src/middleware/session.ts:12
criticalHardcoded API key detected

Line 8 contains a string matching the pattern for a Stripe secret key (sk_live_...). Hardcoded secrets in source code can be extracted from version history even after removal.

src/config/payments.ts:8
lowConsider adding Content-Security-Policy header

The authentication response does not set a CSP header. While not exploitable in this context, adding CSP is a defense-in-depth measure for browser-based auth flows.

src/routes/auth.ts:71
Consensus
CONDITIONS67% agreement (2 of 3 models)
claude-sonnet-4-5
gpt-4o
gemini-2-5-flash
Tamper-evident hash chain (SHA-256)
Prompt:a1b2c3d4e5f67890...abcdef01
Response:f0e1d2c3b4a59687...3c2d1e0f
Bundle:7c3e8f2a1b4d6e9f...89abcdef

Verify: any modification breaks the chain

See the cryptography behind every judgment receipt.

Maps to the frameworks you are already audited against.

SOC 2

Evidence bundles satisfy CC6.1 (logical access), CC8.1 (change management), and CC7.2 (monitoring) control requirements.

DORA (Roadmap)

Article 6a requires ICT change management controls for financial entities. GuardSpine is designed to support DORA Art.6 evidence collection.

HIPAA

Section 164.312(b) requires audit controls for information systems containing ePHI.

PCI DSS

PCI DSS v4.0 requires documented change control processes (Req 6.5.1) and code review of custom software (Req 6.2.3).

EU AI Act (Roadmap)

Articles 9 and 17 require risk management and quality management for AI systems. GuardSpine is designed to support EU AI Act evidence collection.

ISO 27001 (Roadmap)

Annex A.12.1.2 (change management) and A.14.2.2 (secure development policy) require documented change control. GuardSpine is designed to support ISO 27001 evidence collection.

GuardSpine does not replace your compliance platform. Vanta and Drata prove your infrastructure is configured correctly. GuardSpine proves your code changes were governed. They are complementary.

Your engineers install a GitHub Action. You get the dashboard.

For your engineering team:

  • One YAML file added to the repository
  • Reviews trigger automatically on every pull request
  • Models run in the pipeline using the team's own API keys (BYOK)
  • Results appear as PR comments -- no new tool to learn

For you:

  • Cloud dashboard with PR history, risk distribution, and finding trends
  • Slack notifications for high-risk findings and approval requests
  • Evidence management: search, filter, export (JSON + CSV) for audit prep
  • Audit log with 90-day retention (1-year on Team, 3-year on Org)

The adoption problem is solved by design. Your engineers do not need to learn a new tool or change their workflow. They add a YAML file and keep working the way they already work. You get structured evidence without creating organizational friction.

Share with your engineering team: guardspine.ai/dev

You should not trust a proprietary tool to audit your code.

The GuardSpine review engine is open source (Apache 2.0 license). Every line of code that evaluates your pull requests, assigns risk tiers, runs model deliberation, and generates evidence bundles is publicly auditable.

This is a structural decision, not a marketing tactic. A governance tool that cannot be independently verified is asking you to trust the vendor's word that governance happened. That defeats the purpose. Open source means your security team, your auditors, or any third party can read the code and confirm it does what it claims.

The business is built on the platform layer above the engine: dashboard, integrations, compliance reporting, rubric management, and support. The engine is free and open. The platform is where the subscription lives.

GitHub: github.com/DNYoussef/codeguard-action700+ automated testsApache 2.0 license

How much un-audited AI code ships every month?

AI-generated code that ships without structured review is compliance liability accumulating every sprint. Move the sliders to see your exposure.

50
40%
Un-audited lines of code per month
160,000
Estimated annual compliance liability
$230,400
GuardSpine
$499/mo
Platform fee. Not per-seat. Not per-repo.

8,000 lines/engineer/month: GitHub Octoverse 2024, adjusted for AI-assisted development. $0.12/unaudited LOC liability: Ponemon Institute, Cost of a Data Breach 2024.

What is inadequate code governance costing you?

Adjust these to match your organization. The math updates instantly.

$500M
200
3
4
Net savings per year
$2.4M
2,080% ROI
Payback in ~18 days | Org: $120,000/yr
Even at 25% of these estimates: 520% ROI
Regulatory exposure: $2.3M/yr probability-weighted (EU AI Act: up to 7% of turnover, DORA: up to 2%)
View detailed breakdown
Your annual cost without code governance
Audit preparation labor$134,750
Headcount for manual code governance$195,000
Regulatory penalty exposure (probability-weighted)$2.3M
Data breach risk (annualized)$1.5M
Non-compliance event risk (annualized)$2.7M
Revenue delay from slow audit cycles$173,077
Total annual risk exposure$7.0M
GuardSpine saves you
Audit labor savings (80% automated)$107,800
Headcount avoidance$195,000
Regulatory risk reduction (40%)$900,000
Breach risk reduction (20%)$306,600
Non-compliance avoidance (30%)$813,000
Revenue acceleration$173,077
Total annual value$2.5M
Org tier cost$120,000
Net savings$2.4M

Sources: IDC/Vanta 2025, Forrester TEI/OneTrust 2024, IBM Cost of a Data Breach 2025, Ponemon/GlobalScape 2024, BLS OES 13-1041, EU AI Act Art. 99, DORA Art. 50-51, GDPR Art. 83(5), HIPAA OCR 2026.

Starts at less than your Drata bill.

Most Popular

Starter

$399/mo
billed annually · $4,788/yr
  • Tamper-proof audit trail for every PR
  • Cloud dashboard with risk analytics
  • Slack alerts for findings and approvals
  • Evidence management (search, export)
  • Standard rubric library
  • Up to 10 repos, 25 contributors
  • Email support (48-hour SLA)
Request a demo

Team

$1,600/mo
billed annually · $19,200/yr
  • Everything in Starter, plus:
  • Custom governance rules (rubric builder)
  • Jira integration (tickets from findings)
  • Microsoft Teams notifications
  • Compliance report templates (SOC2, DORA, HIPAA)
  • Unlimited repos and contributors
  • Priority support (4-hour SLA)
Request a demo

Org

$10,000/mo
billed annually · $115,200/yr
  • Everything in Team, plus:
  • Multi-team RBAC
  • ServiceNow integration
  • SSO/SAML
  • Advanced compliance dashboards
  • Dedicated CSM
  • 3-year audit log retention
Request a demo

Enterprise

Custom
  • On-prem and air-gapped deployment
  • Custom integrations
  • 99.9% SLA
  • Compliance consulting
Contact us

All tiers include the same open-source review engine. Customers bring their own model API keys (BYOK) -- GuardSpine never touches your AI inference costs. Platform fee, not per-seat. Govern every PR from day one.

Common questions

See how GuardSpine produces audit-ready evidence for every code change.

By submitting, you agree to be contacted about your demo request.

Or explore on your own: