Policy Enforcement.
Every PR.
Automated risk scoring, secrets detection, and policy checks on every pull request — so risky changes never reach production unchecked.
Security Capabilities
The Verification Matrix
Secrets Detection
Scans every diff for credentials, API keys, and tokens using pattern matching and entropy analysis.
Test Gap Analysis
Verifies test coverage deltas and flags PRs that add code without corresponding tests.
Dependency Review
Detects changes to package manifests and lock files, flagging new or modified dependencies for review.
Insecure Patterns
Flags common security anti-patterns like SQL injection, command injection, and unsafe configurations in changed files.
Sensitive Path Detection
Monitors changes to sensitive directories and critical paths like auth, payments, and infrastructure configs.
Diff Size Analysis
Flags oversized PRs that exceed configured thresholds, catching scope creep from AI-generated code.
File Scope Analysis
Evaluates the breadth and depth of file changes to assess blast radius and cross-module impact.
Config & Permissions Review
Detects changes to configuration files, permission settings, and infrastructure-as-code definitions.
AI-Generated Code Detection
Identifies AI-generated code patterns and applies elevated scrutiny to machine-authored changes.
Plus framework-specific rule packs add additional language and library coverage.
PASS secrets-scan 0 findings
PASS policy-check 12 rules enforced
PASS test-gap coverage delta +3.2%
PASS dependency-review 0 new deps
✓ All checks passed. Risk score: 12/100 (Low)
STATUS: ANALYSIS_COMPLETE | RISK: LOW | POLICY: ALL_PASS
Minimal data exposure by design.
Pullminder processes only PR metadata and small diff hunks (capped at ~3KB per PR) from flagged files. We never store your full source code. AI briefs are opt-in per organization.
- No Full Source StorageWe analyze diff hunks from changed files only. Your full codebase is never copied or stored.
- Opt-In AI BriefsAI-generated reviewer briefs use Anthropic Claude. Organizations can disable this entirely — risk scoring and policy checks work without it.
- Secret Encryption at RestSlack webhook URLs are encrypted at rest with AES-256-GCM before being persisted. The API refuses to store webhook secrets in plaintext when the encryptor is configured. View architecture details →
- Configurable RetentionPer-resource retention policies for analysis results, audit logs, and baseline data. Configure directly from the Settings page; a daily worker enforces expiry.
- GDPR Data ExportEvery user can export their personal data as a JSON file from the Account page — supporting GDPR Article 20 (right to portability) out of the box.
- Data Residency ControlsEnterprise customers get configurable data residency controls and can work with our team on compliance-specific deployment requirements.
Governance & Audit
Built for Compliance
Security-First Architecture
HMAC webhook validation, CSRF protection, parameterized queries, org-scoped access control, and TLS everywhere. Slack webhook URLs are encrypted at rest with AES-256-GCM before being persisted. EU-hosted, GDPR-native.
Full Audit Trail
Every policy change, repo toggle, and enforcement action is logged with actor, timestamp, and before/after values. Filterable, exportable, and retained per your retention policy.
Pullminder is built by Upmate — a self-funded, EU-based engineering team with a 20-year track record building production systems. We are headquartered in Thessaloniki, Greece, GDPR-native by default, with no VC incentive to monetise your data.
Learn more about who we are →Responsible Disclosure
Report a Vulnerability
How to Report
Do not open a public GitHub issue. Instead, email us at:
security@pullminder.comInclude a description, steps to reproduce, potential impact, and any suggested fixes.
Response Timeline
- Acknowledgment — within 48 hours
- Initial assessment — within 5 business days
- Resolution — critical issues within 30 days
Scope
With your permission, we acknowledge security researchers in our release notes.