120 modules · 6 tiers · no subscription

The QA gate
your CI is missing.

GateTest catches the bug patterns that slip through code review — race conditions, money stored in floats, secrets past rotation, async-iteration footguns, CI supply-chain vectors. One gate. Real findings. Auto-fix PR on every failure.

terminal
$ gatetest scan --suite quick --diff
GateTest v1.57.0 — 120 modules, Claude Sonnet 4.6
Scanning 14 changed files vs main...
[PASS] syntax
[PASS] lint
[FAIL] secrets — 2 issues
[FAIL] asyncIteration — 1 issue
ERR secrets › src/billing/stripe.ts:47
STRIPE_SECRET_KEY older than 90 days — rotate now
ERR secrets › .github/workflows/deploy.yml:12
Unpinned action + write GITHUB_TOKEN + shell injection
WARN asyncIteration › src/jobs/process.ts:83
forEach(async ...) — errors swallowed, events out of order
3 issues · 2 errors · 1 warning · 8.3s
1,564
real issues found
9
critical attack chains
110
modules
<30s
quick scan

What it catches

The patterns code review misses because they're invisible in a diff.

💸Money in floatsmoneyFloat

parseFloat() on billing amounts — sub-cent drift becomes fraud at scale. Finds it across JS + Python with safe-harbour for decimal.js / big.js.

🔑Secrets + rotation agesecrets

Credentials older than 90 days flagged as error. Git-history dated, not guessed. Catches the ones that outlived the breach.

Race conditionsraceCondition

findOne → create with no transaction or ON CONFLICT guard. The duplicate-insert bug you hit only in prod under load.

🔁Async-iteration bugsasyncIteration

forEach(async ...) — errors swallowed, events processed out of order. Also catches .filter(async) returning Promise-truthy nonsense.

🚨CI supply-chainciSecurity

Unpinned GitHub Actions + write-scope GITHUB_TOKEN + ${{ github.event }} shell injection. The attack chain that hits unattended CI.

📦N+1 queriesnPlusOne

Database calls inside map/forEach/for loops across Prisma, TypeORM, Sequelize, Mongoose, Drizzle. Understands Promise.all batching.

🌀Circular importsimportCycle

Tarjan SCC across your full import graph. Finds the cycle that reproduces randomly depending on module-cache warmth.

🍪Session securitycookieSecurity

httpOnly:false, secure:false, placeholder secrets. Turns XSS into session takeover. Django / Express / FastAPI all covered.

🔥Error swallowingerrorSwallow

Empty catch blocks, .catch(noop), fire-and-forget .save() with no await. Failure becomes invisible success.

📡SSRF vectorsssrf

User input flowing into fetch() without hostname validation. Taint-tracks across assignments — not just inline calls.

💾ReDoS patternsredos

Nested quantifiers, overlapping alternation, user-controlled regex construction. Catastrophic backtracking before it hits prod.

Cron expression bugscronExpression

Invalid field ranges, impossible dates (Feb 30), typo aliases (@weely). The silent-failure class nobody checks.

+ 98 more modules across security, CI/CD, TypeScript, async patterns, and runtime correctness.

try it on your own repo — 10 seconds, no signup

Public repos: paste your GitHub URL into the free preview scan.

Open free preview →

Any repo (public or private): install the CLI once, then scan locally.

$ curl -sSL https://raw.githubusercontent.com/crclabs-hq/gatetest/main/integrations/scripts/install.sh | bash
$ gatetest scan --suite quick --diff

Requires Node 20+. Scans in memory — code never leaves your machine.

add to CI — 30 secondsdrops workflow + pre-push hook

One command adds a GitHub Actions workflow, pre-push hook, and protection marker. Works on any public or private repo.

curl -sSL https://raw.githubusercontent.com/crclabs-hq/gatetest/main/integrations/scripts/install.sh | bash
Workflow added
.github/workflows/gatetest-gate.yml — runs quick scan on every PR
Pre-push hook
.husky/pre-push — advisory output before you push, CI is the gate
Protection marker
.gatetest.json — tells Claude sessions this repo is protected

Private repos — install the GitHub App

One click. Auto-scans every push and PR. Results posted as commit statuses and PR comments. Findings show as inline annotations in the diff.

Install GitHub App →

Real scans. Real repos. No cherry-picked data.

Hall of Scans — see what GateTest found in production codebases →