mergewhy-collector

v1.1.0

Published

2 months ago

MergeWhy Collector — Change evidence collection for CI pipelines and regulated environments. Score PRs, detect compliance gaps, and push signed attestations.

Downloads

0High
0Medium
0Low

mergewhy-dev

compliance soc2 sox cmmc fedramp evidence audit ci cd attestation mergewhy

mergewhy-collector

Change evidence collection for CI pipelines. Score pull requests, detect compliance gaps, evaluate framework controls, and push signed attestations to MergeWhy.

Quick Start

npx mergewhy-collector report --ci github-actions

Usage

Auto-detect CI environment

The collector reads environment variables from your CI provider automatically:

# GitHub Actions
mergewhy-collector report --ci github-actions

# GitLab CI
mergewhy-collector report --ci gitlab-ci

# Jenkins
mergewhy-collector report --ci jenkins

# CircleCI
mergewhy-collector report --ci circleci

# Azure Pipelines
mergewhy-collector report --ci azure-pipelines

Explicit arguments

mergewhy-collector report \
  --repo owner/repo \
  --pr 123 \
  --commit abc123 \
  --branch main \
  --author username \
  --description "Add payment API" \
  --ticket PROJ-1234 \
  --reviews 2 \
  --approvals 1 \
  --ci-status pass \
  --tests-passed 142 \
  --tests-failed 0 \
  --coverage 87 \
  --framework soc2

Minimum score threshold

Fail the CI step if evidence score is below a threshold:

mergewhy-collector report --ci github-actions --min-score 60

Exit code 0 = pass, exit code 1 = fail.

CI Integration Examples

GitHub Actions

- name: MergeWhy Evidence Report
  run: npx mergewhy-collector report --ci github-actions
  env:
    MERGEWHY_API_KEY: ${{ secrets.MERGEWHY_API_KEY }}
    COLLECTOR_SIGNING_KEY: ${{ secrets.MERGEWHY_SIGNING_KEY }}

Jenkins

stage('Evidence Report') {
  sh 'npx mergewhy-collector report --ci jenkins --framework soc2'
}

CircleCI

- run:
    name: MergeWhy Evidence
    command: npx mergewhy-collector report --ci circleci

Azure Pipelines

- script: npx mergewhy-collector report --ci azure-pipelines
  displayName: MergeWhy Evidence

Push to MergeWhy API

Set these environment variables to push signed attestations:

| Variable | Description | |----------|-------------| | MERGEWHY_API_KEY | Your MergeWhy API key | | MERGEWHY_API_URL | API URL (default: https://mergewhy.com) | | COLLECTOR_SIGNING_KEY | Ed25519 private key (base64) |

Generate a signing keypair:

npx mergewhy-collector keygen

Daemon Mode

Run as a continuous agent (Docker/Kubernetes) to monitor repositories:

# Poll every 5 minutes
COLLECTOR_POLL_INTERVAL=300 mergewhy-collector

# Single pass
mergewhy-collector --once

# Scan recent PRs
mergewhy-collector --scan

See COLLECTOR.md for full documentation.

Supported Frameworks

SOC 2, SOX ITGC, SOX 404, HIPAA, ISO 27001, NIST 800-53, CMMC (L1/L2/L3), FedRAMP, DORA, GDPR, PCI DSS.

License

Apache-2.0

Published

Vulnerabilities

Links

Maintainers

Keywords

Readme

mergewhy-collector

Quick Start

Usage

Auto-detect CI environment

Explicit arguments

Minimum score threshold

CI Integration Examples

GitHub Actions

Jenkins

CircleCI

Azure Pipelines

Push to MergeWhy API

Daemon Mode

Supported Frameworks

License