Launching today · 120 modules live

Your CI just went red.
Minutes later, there's a PR with the fix.

120checks. One gate. We catch the bug, security hole, or CI rot that crashes your deploy — then open a pull request with the fix already written, tested, and pair-reviewed by a second AI.

Pay per scan — no subscription, no minimum. Built on Claude Sonnet 4.6.

Free preview — top 3 issues plus your Health Score. No signup, no install.

Try a samplePlayground →
github.com/your-org/your-repo/pull/248
Gate green
pull request #248
fix: define resolveTenantCapForHotPath
apps/api/src/cdn/handler.ts
- ReferenceError: not defined
+ import { resolveTenantCapForHotPath }
+   from "./quotas";
✓ 1 regression test added✓ pair-reviewed✓ 38s · ~$0.02
One gate replaces
SonarQubeSnykESLintSemgrepCodeQLDeepSource+ 6 more
6,100+
tests passing, every commit
120
modules in one gate
120/120
green on our own repo
$29+
per scan · no subscription
What you get

From red CI to merged fix — while you sleep.

Most tools tell you what's broken. We open the PR that fixes it. This is what a single GateTest run looks like, end-to-end.

Step 1·02:14 UTC
CI failed

A test breaks on main

× vapron-api.service failed
  ReferenceError: resolveTenantCapForHotPath
    is not defined
  at apps/api/src/cdn/handler.ts:65:22
  Bun v1.3.14 (Linux x64)

  ::error file=apps/api/src/cdn/handler.ts,
    line=65::ReferenceError

A real Vapron failure from 2026-05-24. The api crashed at module load. Rollback also failed.

Step 2·02:14 + 38s
GateTest working

Auto-fix runs while you sleep

  • Re-runs the gate to isolate the failing module
  • Reads the project conventions (README, AGENTS.md)
  • Generates the fix with Claude Sonnet 4.6
  • Validates the fix re-passes the gate
  • Writes a regression test for the bug
  • Pair-reviews the fix with a second Claude

~38 seconds, ~$0.02 in Anthropic API spend per fix on the $99 tier. Margin: 100x.

Step 3·02:15 UTC
PR opened

A fix PR lands in your repo

+ import { resolveTenantCapForHotPath }
+   from "./quotas";

  const handler = createSomething({
    tenantCapResolver:
      resolveTenantCapForHotPath,
    ...
  });

✓ Tests added (1)  ✓ Gate green

One-click “Commit suggestion” in GitHub. CI re-runs green. You wake up to a merged fix instead of a 47-message Slack thread.

No other tool ships scan + fix + regression test + pair-review + cross-finding correlation on pay-per-scan pricing. We do.

What it replaces

Twelve tools. One config.One bill.

Hover any tile to see the GateTest module that replaces it. The full table's in the breakdown below — 30+ tools across the entire QA stack.

Snyk
We replace this
--module security
OWASP + supply chain + CVE database, no SaaS lock-in.
SonarQube
We replace this
--module codeQuality
Same rules, no Java daemon, no per-seat seat tax.
ESLint
We replace this
--module lint
Plus 90 more checks ESLint never tries to run.
Cypress
We replace this
--module e2e
Browser E2E plus 89 things Cypress doesn't do.
BrowserStack
We replace this
--module compatibility
Cross-browser matrix, no monthly device farm bill.
Lighthouse
We replace this
--module performance
Perf, SEO, A11y unified — and gate-blocking, not advisory.
axe-core
We replace this
--module accessibility
WCAG 2.2 automated audit (AA + AAA-aligned) — built in, not a separate plugin.
Renovate
We replace this
--module dependencies
Polyglot freshness + CVE fix-PR, not just notifications.
Dependabot
We replace this
--module dependencies
Same scope, plus typosquats, license risks, lockfile drift.
hadolint
We replace this
--module dockerfile
Dockerfile lint + secrets + curl|sh + chmod 777 hunting.
tfsec
We replace this
--module terraform
Terraform / Pulumi / CDK security — same gate as everything else.
actionlint
We replace this
--module ciSecurity
Plus unpinned actions, pwn-request, permissions hygiene.
Jest / Vitest / MochaunitTests
Cypress / BrowserStack / Sauce Labse2e
ESLint / Stylelintlint
Snyk / npm auditsecurity
Renovate / Dependabotdependencies
hadolint / dockle / docker benchdockerfile
actionlint / StepSecurity / zizmorciSecurity
shellcheck / bashate / shfmtshell
squawk / gh-ost / pg-osc / Strong MigrationssqlMigrations
tfsec / Checkov / Terrascan / KICSterraform
kube-score / kubeaudit / Polaris / Kubeseckubernetes
LLM Guard / Lakera Guard / Rebuff (static slice)promptSafety
Promptfoo / Garak / Lakera Red (dynamic scenario testing — Forensic tier)aiGuardrails
ts-prune / knip / VulturedeadCode
gitleaks / secretlint / dotenv-lintersecretRotation
securityheaders.com / Mozilla ObservatorywebHeaders
type-coverage / @typescript-eslint/no-explicit-anytypescriptStrictness
madge --circular / dependency-cruiserimportCycle
safe-regex / recheckredos
Lighthouseperformance
axe / pa11yaccessibility
Percy / Chromaticvisual
SonarQubecodeQuality
git-secrets / truffleHogsecrets
broken-link-checkerlinks

Plus 12 more modules with no direct competitor: AI code review, fake-fix detector, mutation testing, chaos / fuzz pass, autonomous exploration, live crawling, data integrity, documentation validation, compatibility analysis, integration-test detection, CI generation, SARIF output.

The flywheel

Four layers. Compounding.

Every competitor either ships pattern matchers (cheap, brittle) or ships LLM-only fixes (slow, expensive, hallucinates). We stack four deterministic layers in front of Claude. Most fixes never reach the LLM. Margin works. Quality compounds.

01~47%

AST fix

cost per fix: $0

Deterministic transforms on the parse tree.

rejectUnauthorized: false → true. httpOnly: false → true. The compiler proves correctness; no LLM needed.

02~22%

Rule fix

cost per fix: $0

Codemod recipes per finding class.

Wildcard CORS origin + credentials. Missing CSP. Cookie hardening. One regex-bounded rewrite per pattern.

03~16%

Recipe lookup

cost per fix: $0

Cached fixes from every prior scan, compounding.

When a scan resolves a novel finding, the diff is stored. Next time that finding shape arrives — local or someone else's repo — we apply the cached patch.

04~5%

Claude

cost per fix: ~$0.03

Only the genuinely novel cases reach the LLM.

Iterative loop with N retries, syntax gate, scanner re-validation, pair-review on $199+, attack-chain correlation on $399.

Self-healing CI

When CI breaks, the agent reads the failing log, walks back to the failing line, applies the right layer (AST → rule → recipe → Claude), runs the gate again, opens a PR. You review the diff and merge. The build was red for fifteen minutes; you didn't have to look at it. The recipe layer remembers, so the next time the same failure happens — your repo or someone else's — it's fixed before you see it.

How it actually works

Layer percentages are derived from our own self-scan + the four real-repo proofs in docs/proofs/. Your mileage will vary by tier and codebase shape.

MCP tools for AI agents

Give Claude Eyes, Ears & Hands

AI coding agents write UI blind, never hear the app fail, and claim “fixed” without proof. GateTest MCP closes all three gaps — 18 tools, one stdio connection, works in Claude Code, Cursor, Windsurf, and any MCP-compatible agent.

EYES

Claude writes UI blind — it can't see what it built.

capture_screenshot returns a real JPEG/PNG image. Claude looks at the rendered page — nav, layout, font sizes, broken CTAs — exactly like a developer reviewing a browser tab.

// See the rendered page — works with localhost too
capture_screenshot({
  url: "http://localhost:3000/pricing",
  width: 390  // mobile viewport
})
// → returns an actual image block Claude can see

Use after every UI change

EARS

Claude guesses what's broken — it can't hear the running app.

get_production_errors pulls file:line from Sentry/Datadog/Rollbar. run_live_checks hears JS errors, console warnings, API timeouts, and CSP violations against any live URL including localhost.

// Fix what production says is broken, first
get_production_errors({ source: "all" })
// → TypeError: cart is undefined | src/checkout.ts:44 | 412 occurrences

// Or check your local dev server right now
run_live_checks({ url: "http://localhost:3000" })
// → apiHealth: 2 broken, runtimeErrors: CSP violation on /dashboard

Use before deciding what to fix

HANDS

Claude claims 'fixed' without proof — no re-run, no gate.

verify_fix selects the modules relevant to your changed files, re-runs them in-process, and returns a hard ✅/❌ scoped to exactly what you edited. No assumptions.

// After editing — prove it actually worked
verify_fix({
  path: "/your/project",
  files: ["src/auth/session.ts"]  // exactly what you edited
})
// ✅ FIX VERIFIED — 0 error-severity findings remain
// ❌ NOT VERIFIED — secrets: hardcoded key still at line 14

Use after every code edit

Add to Claude Code in 30 seconds

Works with any MCP-compatible AI — Claude Code, Cursor, Windsurf, Continue, Cline. No account, no webhook, no infra. The engine runs in-process on your local filesystem.

$ claude mcp add gatetest -- npx @gatetest/cli --mcp
Don't trust us

Trust the green.

GateTest runs against itself on every push to main. If our own gate were red we'd have no business asking you to use it. Below is the live status panel — same shape you'll see on your repo.

crclabs-hq/gatetest  ·  main  ·  gateSTANDBY
Our own gate
Awaiting first scanself-scan workflow runs on every push to main
View CI runs
syntax
lint
secrets
codeQuality
security
ssrf
tlsSecurity
cookieSecurity
accessibility
performance
ciSecurity
dockerfile
kubernetes
dependencies
redos
money-float
Scan time
Last run
Awaiting
Soft-fail policy
Never

The self-scan workflow lives in .github/workflows/ci.yml. Bible Forbidden #24 means continue-on-error: true is banned on the gate step — so a red gate would block the commit, not just warn.

Install

Zero config. Zero ceremony.

One npx command for local. One YAML file for CI. The whole thing runs on Node 20+. No build step, no Docker image, no daemon.

60 seconds · from npx to gate
$ npx gatetest --suite quick
CLI cheat-sheet
# scan a single repo locally
$ npx @gatetest/cli --suite quick

# all 120 modules, blocking gate
$ npx @gatetest/cli --suite full

# scan a public website
$ npx @gatetest/cli --url https://yoursite.com

# watch mode — re-run on every file change
$ npx @gatetest/cli --watch
CI · GitHub Actions
# .github/workflows/gatetest.yml
name: GateTest
on: [push, pull_request]

jobs:
  gate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
      - run: npx @gatetest/cli --suite full --reporter sarif
        # NOTE: do NOT add continue-on-error: true here
        # The whole point of a gate is that it gates.

Zero dependencies. Zero telemetry by default. Source is on GitHub — MIT-licensed. The CLI itself is free; the auto-fix tiers are paid.

Predictable, Automation-First Pricing

Quick and Full scans are free via the open-source CLI — install with npx @gatetest/cli --suite full. Pay only when you want auto-fix or deeper AI analysis.

Quick Scan

4-module rapid scan: syntax errors, lint violations, exposed secrets, and code quality. Results in seconds.

$29/ per run
  • Syntax Error Detection
  • Lint Violation Scanner
  • Secret & API Key Exposure
  • Code Quality Baseline
  • JSON / SARIF / JUnit Output
  • Scan-only (no auto-fix)

Full Scan

All 120 modules: security, supply chain, auth hardening, CI security, AI safety, and more.

$99/ per run
  • All 120 Specialized Modules
  • Security & Auth Hardening
  • Supply Chain & Dependency Audit
  • CI/CD & Container Security
  • AI Safety & Prompt Protection
  • Scan-only (no auto-fix)
Most Popular

Scan + Fix

111-module deep scan with iterative auto-fix PR, pair-review agent, and architecture annotations.

$199/ per run
  • 111 Specialized Engineering Modules
  • Iterative Fix Loop (up to 3 retries per finding)
  • Cross-Fix Syntax + Scanner Gate
  • Regression Test Generated per Fix
  • Pair-Review Agent (4-axis critique)
  • Architecture Annotator Report
  • Automated PR with Before/After Table

Forensic Scan

Everything in Scan+Fix plus Claude-driven per-finding diagnosis, attack-chain correlation, and executive summary.

$399/ per run
  • Everything in Scan + Fix
  • Per-Finding Claude Diagnosis
  • Cross-Finding Correlation (attack chains)
  • Executive Summary (CTO-ready)
  • Board-Ready CISO Report
  • Mutation Testing via GitHub Action
  • Chaos/Fuzz Pass via GitHub Action
Claude Integration

MCP Integration

Give Claude eyes, ears & hands. Full 120-module scans + AI fix + screenshot + production errors — all inside your AI assistant.

$29/ per month
  • 👁 Eyes — Screenshot any URL or localhost
  • 👂 Ears — Sentry / Datadog / Rollbar errors
  • 🤝 Hands — verify_fix proves the fix worked
  • Full 120-module local scans (vs 4 free)
  • AI fix + diagnose (fix_issue, explain_finding)
  • API key delivered by email instantly
Get MCP Access →

Cancel anytime

Continuous Guard

Unlimited deterministic scans on every push. AI reviews metered by monthly allowance.

$49/ per month
  • Unlimited Deterministic Push Scans
  • AI Review Allowance ($10/mo default)
  • Continuous AI Ledger Protection
  • Real-Time Pipeline Trace Feed
FAQ

Common skeptical questions.

Answers calibrated for the engineer who showed up from a Hacker News thread. We are too.

Is this just another AI tool?
No. The deterministic engine ships first — AST, regex, file walkers across 120 modules, no LLM in the loop. Claude only enters when the deterministic layers can't resolve a finding (roughly 5% of fixes). The 4-layer flywheel architecture is the moat.
Is my code stored anywhere?
No. Scans are ephemeral. We clone, run the engine, post the report, delete the clone. The repo never leaves your CI environment when you install the GitHub Action — we never see it. For paid scans run from our infra, the working copy lives on a Vercel function for the duration of the scan and is gone when the response returns. Privacy policy.
Why not just ESLint + Snyk + the other 10 tools?
You can. Most teams do. The question is who maintains the compose-of-ten — and who pays the per-seat tax across all of them. We replace 30+ tools with one CLI, one config, one bill. See the full replacement table or compare us tool-by-tool.
Per-scan pricing — what's the catch?
None. You pay once via Stripe at checkout, we run the scan, you get the report. No subscription, no auto-renew, no per-seat billing. If the scan fails to start or crashes mid-way, contact hello@gatetest.ai — we re-run it or issue a credit at our discretion. Scan-finish rate is well above 99% on real repos, so this rarely happens.
Is the gate actually strict?
Yes. Bible Forbidden #24 outright bans continue-on-error: true on the gate step. We dog-food this: our own self-scan is a hard gate on every push to main. If a competitor lets you silently skip a failing check, that's how 80% of the wins in QA-platform marketing slip into prod anyway.
Can I trust an AI to repair my CI?
The fix-flow is layered for exactly that reason: AST → rule recipe → cached pattern → Claude. Each layer's output passes a syntax gate and a scanner re-validation gate before the PR opens. Claude never auto-merges — it opens a PR you review. At the $199+ tiers a second Claude pair-reviews every fix on a 4-axis rubric (correctness, completeness, readability, test coverage). Real outputs are documented in docs/proofs/.

Still have questions? hello@gatetest.ai · file an issue

The Stack

One team. Three products. Zero lock-in.

GateTest keeps your code honest. Gluecron hosts your git. Vapron runs your scheduled jobs. Each stands alone — together they cover the whole “real software in production” problem.

Gc

Gluecron

gluecron.com

The git host built around Claude.

Git hosting built for small teams — no tickets, no politics. GateTest is wired into it natively: every push lands on Gluecron's Signal Bus and triggers a scan from the same queue that serves GitHub.

  • Push-to-scan: GateTest gates merges natively
  • Built by the same team, used every day
  • Independent product — no bundle lock-in

Dogfooded hard: GateTest's Forensic scan ran against Gluecron's own codebase — full findings published in the Hall of Scans.

V

Vapron

vapron.ai

Scheduled jobs that actually run. Cron with receipts.

AI-native, edge-first, zero ops. The cron and background jobs that power your product — run with receipts, so "did the job fire?" is never a mystery again.

  • Production scheduling without babysitting
  • GateTest guards its codebase on every push
  • Independent product — use it alone or together

Dogfooded hard: the live demo on this page replays a real Vapron failure that GateTest caught and fixed. Full scan in the Hall of Scans.

Scans every major framework, runtime, and infra primitive

Next.jsReactVueExpressFastifyNestPrismaDrizzleMongoPostgresDockerKubernetesTerraformAWSGCPAzurePythonGoRustJavaRubyPHPC#KotlinSwift

Eaten our own dog food

GateTest currently protects Vapron.ai and Gluecron.com as a CI gate.

Same engine, same rules, same gate. The integration script is published — feel free to clone the workflow.