AstriguardAstriguard
Sign inGet started free
Frequently Asked Questions

Everything you need to know about Astriguard

Questions about security, pricing, supported frameworks, and the CLI. Can not find what you are looking for? Contact us.

SecurityPricingFrameworksCLI

Security

There are two distinct phases, and it is important to understand both:

One-time baseline (when you first connect a repository): Astriguard reads compliance-relevant files, such as infrastructure configs, SQL migrations, and source code, to build a semantic index of your codebase. This index lets subsequent PR scans surface patterns from your existing code. Critically, the raw file text is never stored. It is processed to generate a mathematical representation of code patterns, then discarded. That representation cannot be reversed into your original source.

Every pull request after that: Only the files changed in the PR are read. Unchanged files are not fetched again. Astriguard has read-only access and cannot push code, merge branches, approve PRs, or modify anything in your repository.

The GitHub App requests the minimum permissions required to do its job:
  • Pull requests (read): to list changed files and read PR diffs
  • Repository contents (read): to fetch file content during the one-time baseline and for changed files in each PR scan
  • Checks (write): to post the pass/fail compliance status on each PR
  • Pull request reviews (write): to post inline violation comments directly on the changed lines
No write access to your code, no access to secrets, branch protection rules, or repository settings.
File content from your pull requests is analyzed by an AI model to detect compliance violations. The AI provider we use does not use data submitted through their API to train their models. All traffic between Astriguard and the AI provider is encrypted in transit. No file content is retained by Astriguard after analysis completes -- only the violation findings (file path, line number, description, suggested fix) are stored.
Astriguard is built on enterprise-grade cloud infrastructure using SOC 2 compliant service providers for compute, data storage, and authentication. Row-level security is enforced at the database level so each organization's data is strictly isolated. We are actively working toward our own SOC 2 Type II attestation. Contact us for our current security posture documentation.
When you authenticate via the CLI, Astriguard issues a short-lived personal access token (ag_pat_...). Only a SHA-256 hash of this token is ever stored in the database. The plaintext token is shown once and never persisted. You can revoke it at any time with `astria logout` or from the dashboard.

Pricing

Yes. The Free plan lets you connect up to 1 repository and run compliance scans on pull requests within a monthly token budget. No credit card required to get started.
Usage is tracked by AI tokens consumed per scan. Each pull request scan uses a variable number of tokens depending on the size of the diff and the number of compliance frameworks selected. The dashboard shows your monthly usage and remaining budget in real time.
Scans are skipped (not blocked with an error) once the monthly budget is reached. The GitHub PR check is set to a neutral pass state so your team is not blocked. Usage resets on the first of each calendar month.
Yes. Plan changes take effect immediately. If you downgrade mid-cycle, you keep the higher-tier limits until the end of the billing period.
Yes. The Enterprise tier includes custom token budgets, SSO via SAML, priority support, and a dedicated onboarding call. Reach out at [email protected] to discuss your requirements.

Frameworks

Astriguard currently supports four frameworks:
  • SOC 2: Trust Services Criteria (CC controls) for security, availability, and confidentiality
  • HIPAA: Security Rule controls for protected health information
  • GDPR: Data handling, minimization, and access control requirements
  • EU AI Act: High-risk AI system obligations and documentation requirements
Yes. On the roadmap: ISO 27001, PCI DSS, NIST CSF, and FedRAMP. If there is a specific framework your team needs, contact us and we will prioritize accordingly.
Yes. When you connect a repository, you select which frameworks apply to it. Astriguard scans every PR against all selected frameworks simultaneously and groups findings by framework and control reference.
Each violation includes a confidence score. Findings above 85% confidence are marked as actionable (HARD_BLOCK or suggestion). Findings below 85% are flagged as needing human review so your team makes the final call rather than the AI. False positives can be overridden and tracked in the audit ledger.
Custom control filtering is on the roadmap for the Growth and Scale tiers. Today you can override individual findings from the dashboard with a justification, which is recorded in the compliance ledger for audit purposes.

CLI

The CLI reads only the files you have changed in your working branch -- the current content of each modified file along with the change diff. Your unchanged files, untracked files, and the rest of the repository are never read or transmitted. The scan is scoped to your working changes, not your entire codebase.
The CLI uses the GitHub Device Flow. Running `astria login` opens a browser prompt where you authorize the Astriguard OAuth app on GitHub. After approval, Astriguard verifies your GitHub org membership against active installations and issues a local ag_pat_... token. The GitHub OAuth token is never stored, only used once to verify your identity.
For each file you have changed, the CLI sends the current file content and the change diff to the Astriguard API for analysis. Only files you have modified are included -- no unchanged files, no full repository upload. The API analyzes this data and returns violation findings. No file content is stored after the analysis completes.
Yes. Run `astria logout` to revoke the token on the device. You can also revoke all CLI tokens for your account from the dashboard settings page. Tokens are single-device and do not grant access to other machines.
After installing the CLI, run:
astria-cli hook install
This writes a .git/hooks/pre-push script that runs the scan automatically before every push. The hook blocks the push if any HARD_BLOCK violations are found.
Yes. Every CLI scan consumes tokens from the same monthly budget as PR scans. Both are tracked together and enforced against your plan limit. The Usage page in the dashboard shows the combined total. The CLI will also display a warning after each scan when your remaining budget falls below 30%.
Run:
astria-cli usage
This prints your plan tier, tokens consumed this month vs. your budget (as a percentage), and scans used vs. your monthly limit. The same figures appear in the Usage section of the Astriguard dashboard.

Still have questions?

Our team is happy to walk you through how Astriguard fits your stack and compliance requirements.

Contact usView pricing