Compliance pack mapping
Four premium rule packs ship on the Enterprise tier, one per major compliance standard. Each pack is a detection layer built from the rules an auditor would actually check — unencrypted PHI, cardholder data in source, missing access logs, PII in logs.
These packs are not a certification. They are one input to your compliance program, not the program itself.
Pack → Standard
What each pack detects
HIPAA
hipaa-compliance PHI field exposure, unencrypted PHI storage, PHI in logs, transmission over plaintext
15+ detection rules
PCI-DSS
pci-dss Credit card numbers in source, CVV storage, weak crypto, missing tokenization, cardholder-data leaks
15+ detection rules
SOC2
soc2-controls Access logging, session management, rate limiting, RBAC, data classification markers
15+ detection rules
GDPR
gdpr-data-handling PII in logs, missing consent records, cross-border data transfers, retention violations
15+ detection rules
Honest Scope
What the packs do not do
We want procurement conversations to start with accurate expectations.
They do not certify your organization
A pack detecting PHI leaks is evidence you are scanning for them. Certification requires an auditor, policies, and operational controls Pullminder is not part of.
They do not replace an auditor
Packs flag patterns in diffs. An auditor evaluates your whole control environment — access reviews, incident response, vendor management — which lives outside the code.
They are not policy management
Packs are detection rules, not policy documents. They complement a GRC tool — they do not replace one.
Availability
Compliance packs ship on the Enterprise plan. Free trials get Enterprise-tier access for the first 100 PRs, including these packs, so you can run them against real code before procurement commits.
Packs sync automatically from the premium registry once an organization is on an Enterprise or Trial plan — no manual install, no additional CLI step.
For infrastructure-level details — EU hosting, data residency, HMAC webhook validation, audit trails — see our security overview.
Procurement FAQ
Compliance pack FAQ
The questions procurement and security teams ask most often, answered directly.
Do Pullminder's compliance packs make our organization HIPAA, SOC2, PCI-DSS, or GDPR compliant?
No. The packs are detection layers that flag code-level patterns auditors look for — unencrypted PHI, cardholder data in source, missing access logs, PII in logs. They are one input to a compliance program, not a certification.
What do Pullminder's HIPAA, SOC2, PCI-DSS, and GDPR packs detect?
HIPAA detects PHI field exposure, unencrypted PHI storage, and PHI in logs at a merge-blocking action level. PCI-DSS detects cardholder data, CVV storage, weak crypto, and missing tokenization at a merge-blocking level. SOC2 covers access logging, session management, RBAC, rate limiting, and data classification at a warn level. GDPR covers PII in logs, consent records, cross-border transfers, and retention violations at a warn level. Each pack ships 15+ detection rules.
Do the compliance packs replace a compliance auditor?
No. Packs flag patterns in diffs. An auditor evaluates your whole control environment — access reviews, incident response, vendor management — which lives outside the code and is not in scope for Pullminder.
Which Pullminder plans include the compliance packs?
The four compliance packs ship on the Enterprise plan. Free trials get Enterprise-tier access for the first 100 PRs, including these packs, so prospective customers can run them against real code before procurement commits.
Need a different composition?
If your control framework needs a pack combination we do not ship today — ISO 27001, NIST 800-53, HITRUST — talk to us. We build custom rule sets for Enterprise customers.