All 119 modules

One scan. 119 modules. Every QA check unified.

GateTest runs 119 distinct checks against your codebase — security, infrastructure, accessibility, performance, code quality, AI-app safety, and more. Each module is the GateTest equivalent of a separate tool: Snyk, SonarQube, Semgrep, ESLint, hadolint, kube-score, axe, Lighthouse, and 20 more. One config, one bill.

Click any module to see what it catches, example findings, pricing tiers it's included on, and how the AI auto-fix loop handles it.

Source & quality

The foundation. Catches the bugs every linter and compiler should have caught but didn't.

12 modules in this category

Security

OWASP-grade scanning that goes beyond CVE lookups into your actual code paths.

15 modules in this category

Security
security
OWASP patterns, XSS, SQL injection, innerHTML, shell exec, Docker misconfigs.
Secrets
secrets
AWS keys, GitHub tokens, Stripe keys, passwords, private keys, DB strings.
Secret Rotation
secretRotation
Long-lived credentials in git, .env drift, placeholder/real example mismatch.
Ssrf
ssrf
User-controlled URLs handed to fetch/axios/got/node-http without validation.
Tls Security
tlsSecurity
rejectUnauthorized:false, verify=False, NODE_TLS_REJECT_UNAUTHORIZED=0.
Cookie Security
cookieSecurity
httpOnly:false, weak session secrets, SESSION_COOKIE_* misconfigs.
Redos
redos
Catastrophic-regex detector: nested quantifiers, overlapping alternation, user-controlled patterns.
Auth Bypass
authBypass
Routes missing authentication.
Cross File Taint
crossFileTaint
Cross-file taint analysis — user input → dangerous sinks across module boundaries.
Webhook Payload
webhookPayload
Webhook handlers that use req.body without validation.
Log Pii
logPii
Credentials, tokens, and request objects logged in plaintext.
Wp Exposed Files
wpExposedFiles
WordPress: sensitive files exposed via public webroot (wp-config.php.bak, debug.log, .git, .env, SQL backups).
Wp Xmlrpc Exposed
wpXmlrpcExposed
WordPress: /xmlrpc.php exposed (brute-force amplification + DDoS reflector + auth-bypass surface).
Wp Malware Patterns
wpMalwarePatterns
WordPress: rendered HTML/JS scanned for known malware signatures (eval(atob), hidden iframes, base64 payloads).
Wp Admin Protection
wpAdminProtection
WordPress: /wp-admin and /wp-login.php checked for rate limit / WAF / 2FA / cookie hardening.

Reliability

The bugs that don't break on your machine but break in production at 3am.

11 modules in this category

Web & UX

Surfacing the user-visible problems static analysis usually pretends don't exist.

22 modules in this category

Accessibility
accessibility
WCAG 2.2 automated audit (AA + AAA-aligned) — missing alt text, ARIA labels, keyboard traps, heading hierarchy.
Performance
performance
Dependency count, bundle size analysis, image optimisation checks.
Visual
visual
Visual & UI Regression Testing.
Seo
seo
Meta tags, Open Graph, structured data, robots.txt, canonical URLs.
Links
links
Every broken href — dead anchors, placeholder links, 404s.
Compatibility
compatibility
Browser matrix validation. Modern API and CSS features without polyfills.
E2e
e2e
End-to-End Test Execution.
Live Crawler
liveCrawler
Live site crawl — 404 / 500 / broken-image / redirect-chain on the live URL.
Explorer
explorer
Autonomous Interactive Element Explorer — clicks every button + form + dropdown via Playwright.
Runtime Errors
runtimeErrors
Live browser runtime errors — uncaught JS, console.error/warn, network 4xx/5xx, CSP violations, hydration mismatches.
Visual Regression
visualRegression
Full-page screenshot diffing at desktop + mobile widths against a stored baseline — catches redesigns and broken layouts no DOM ch
Interactive Elements
interactiveElements
Live link + button crawler — HTTP-verifies every internal link, click-tests every button with a destructive-action skip list (dele
Api Health
apiHealth
Hits every discovered API endpoint with valid + missing-parameter requests — checks status codes, response time, and JSON vs HTML
Performance Budget
performanceBudget
Live TTFB / LCP / CLS / page-weight budget check against a real URL — median of 3 runs with a cold-start warm-up first.
Mobile Rendering
mobileRendering
Horizontal-overflow and unreadable-text checks across 5 device widths (390/414/768/1024/1280) — absolute checks, not a diff.
Form Testing
formTesting
Fills and submits every SAFE form (contact, newsletter, search, feedback) and verifies a real success signal. Payment-shaped, auth
Console Errors
consoleErrors
Site-wide crawl aggregating console errors/warnings across every page visited — fingerprints and dedupes the same error across pag
Design System Compliance
designSystemCompliance
Audits live computed styles for near-duplicate colors, off-grid spacing, and type-scale drift — catches design-token erosion no pi
Cross Browser
crossBrowser
Runs the same page load across Chromium, Firefox, and WebKit and diffs navigation success, runtime errors, and rendering against C
Chaos
chaos
Chaos & Resilience Testing — slow network, API failure, offline, missing resources, server timeouts. Runs via the GitHub Action wh
Web Headers
webHeaders
CSP/HSTS/XFO/CORS misconfig across Next.js, Vercel, Netlify, Express, Fastify, nginx.
Cache Headers
cacheHeaders
Cache Headers & CDN Configuration.

Infrastructure

Catches the supply-chain takeovers, container exploits, and CI/CD foot-guns.

18 modules in this category

Dependencies
dependencies
Supply-chain hygiene across npm, pip, Pipenv, Poetry, go.mod, Cargo, Bundler, Composer, Maven, Gradle.
Dockerfile
dockerfile
Root user, :latest tags, curl|sh, apt hygiene, secrets-in-layers, cache bloat.
Ci Security
ciSecurity
GitHub Actions hardening — action pinning, pwn-request, shell injection, secrets-in-logs, permissions.
Ci Param Validator
ciParamValidator
Validates GitHub Actions with: inputs against action schemas.
Shell
shell
Shell script security — curl|sh, unsafe rm, eval injection, hardcoded secrets, set -e, POSIX compliance.
Bash Safety
bashSafety
Bash / Shell Error-Swallow Detector.
Sql Migrations
sqlMigrations
Drop column/table, non-concurrent indexes, NOT NULL without default, blocking constraints, rolling-deploy renames.
Terraform
terraform
Public buckets, wildcard ingress, hardcoded secrets, missing encryption, IAM wildcards.
Kubernetes
kubernetes
Privileged pods, host namespaces, :latest images, missing limits/probes, dangerous caps.
Systemd
systemd
Systemd Unit File Validator.
Deploy Script Validator
deployScriptValidator
Health-check URL consistency.
Service Consistency
serviceConsistency
ExecStart / Procfile / PM2 vs package.json start script.
Deploy Contract
deployContract
Deploy Contract Validator.
Deploy Readiness
deployReadiness
Aggregate 0-100 deployment confidence score.
Native Bundler Guard
nativeBundlerGuard
Native Node addons that cannot be bundled.
Bundle Size
bundleSize
JS bundles exceeding size budgets.
Env Integrity
envIntegrity
Env-File Integrity Linter.
Prompt Safety
promptSafety
Browser-exposed API keys, unbounded max_tokens, prompt-injection surfaces, deprecated models.

Developer hygiene

Pulls bad-process bugs out of CI before they cost a 90-minute review.

10 modules in this category

AI & advanced

Where deterministic scanning stops and reasoning starts. Used sparingly, not by default.

9 modules in this category

Scanning & testing

The classic suite — unit, integration, end-to-end — wired into the same gate as everything else.

2 modules in this category

Language coverage

Nine non-JS language backends. Same engine, language-aware patterns.

9 modules in this category

WordPress

Live-URL probes for the wp.gatetest.ai product. Run against any public WordPress site.

6 modules in this category

Live pen-test probes

Active probes against your running site. Pen Test tier only — requires explicit written authorization for the target.

5 modules in this category

119 checks. One scan. From $29.

Per-scan pricing. No subscription. AI auto-fix PR on the Scan + Fix and Forensic Scan tiers.