The QA gate
your CI is missing.
GateTest catches the bug patterns that slip through code review — race conditions, money stored in floats, secrets past rotation, async-iteration footguns, CI supply-chain vectors. One gate. Real findings. Auto-fix PR on every failure.
What it catches
The patterns code review misses because they're invisible in a diff.
parseFloat() on billing amounts — sub-cent drift becomes fraud at scale. Finds it across JS + Python with safe-harbour for decimal.js / big.js.
Credentials older than 90 days flagged as error. Git-history dated, not guessed. Catches the ones that outlived the breach.
findOne → create with no transaction or ON CONFLICT guard. The duplicate-insert bug you hit only in prod under load.
forEach(async ...) — errors swallowed, events processed out of order. Also catches .filter(async) returning Promise-truthy nonsense.
Unpinned GitHub Actions + write-scope GITHUB_TOKEN + ${{ github.event }} shell injection. The attack chain that hits unattended CI.
Database calls inside map/forEach/for loops across Prisma, TypeORM, Sequelize, Mongoose, Drizzle. Understands Promise.all batching.
Tarjan SCC across your full import graph. Finds the cycle that reproduces randomly depending on module-cache warmth.
httpOnly:false, secure:false, placeholder secrets. Turns XSS into session takeover. Django / Express / FastAPI all covered.
Empty catch blocks, .catch(noop), fire-and-forget .save() with no await. Failure becomes invisible success.
User input flowing into fetch() without hostname validation. Taint-tracks across assignments — not just inline calls.
Nested quantifiers, overlapping alternation, user-controlled regex construction. Catastrophic backtracking before it hits prod.
Invalid field ranges, impossible dates (Feb 30), typo aliases (@weely). The silent-failure class nobody checks.
+ 98 more modules across security, CI/CD, TypeScript, async patterns, and runtime correctness.
Public repos: paste your GitHub URL into the free preview scan.
Open free preview →Any repo (public or private): install the CLI once, then scan locally.
Requires Node 20+. Scans in memory — code never leaves your machine.
One command adds a GitHub Actions workflow, pre-push hook, and protection marker. Works on any public or private repo.
Private repos — install the GitHub App
One click. Auto-scans every push and PR. Results posted as commit statuses and PR comments. Findings show as inline annotations in the diff.
Real scans. Real repos. No cherry-picked data.
Hall of Scans — see what GateTest found in production codebases →