heygrc
Answer

Can a compliance check block my merges?

the heygrc team

Only if you want it to. A compliance check on a pull request should default to a neutral status: it posts findings and a check state, and the merge decision stays with the engineer. Teams that want hard gating can require the check in branch protection, which turns the same signal into a blocker on exactly the branches they choose. heygrc ships the neutral default and supports the required-check setup.

  1. Default to informing, not blocking

    Compliance findings often need judgment: whether a field is personal data, whether a risk is already accepted, whether an exception is documented. A hard block on judgment calls teaches a team to route around the tool. A neutral status keeps the signal in the review without taxing velocity.

  2. Reserve required checks for the branches that matter

    If your policy needs gating, require the compliance check in branch protection on the release or main branches, deliberately and per branch. The check itself is unchanged; what changes is that those branches now wait for it, which is a scoped, reversible decision rather than a tool-wide one.

  3. Keep the trail either way

    Blocking or neutral, the value that survives is the record: a compliance reading attached to each change is the per-change trail your change-management control (ISO 27001 A.8.32, SOC 2 CC8.1) wants, and the place an auditor looks when they sample how changes were reviewed.