Your CI just went red.
By morning, there's a PR with the fix.
110 checks, one gate, auto-fix PRs in 60 seconds.
We catch the bugs, security issues, and CI rot that crash your deploy. Then we open a pull request with the fix already written, tested, and pair-reviewed by a second AI. Pay per scan — no subscription, no minimum.
Built on Claude Sonnet 4 — the model that wins SWE-bench Verified, not the most expensive one in the lineup. We tested. We picked the model that actually fixes bugs.
Net effect: every tier ships ~5x deeper analysis at the same price.
Free preview — top 3 issues plus your Health Score. No signup, no install.
Want a repo scan instead? Pick a tier ↓ or install the GitHub App.
From red CI to merged fix — while you sleep.
Most tools tell you what's broken. We open the PR that fixes it. This is what a single GateTest run looks like, end-to-end.
A test breaks on main
× crontech-api.service failed
ReferenceError: resolveTenantCapForHotPath
is not defined
at apps/api/src/cdn/handler.ts:65:22
Bun v1.3.14 (Linux x64)
::error file=apps/api/src/cdn/handler.ts,
line=65::ReferenceErrorA real Crontech failure from 2026-05-24. The api crashed at module load. Rollback also failed.
Auto-fix runs while you sleep
- Re-runs the gate to isolate the failing module
- Reads the project conventions (README, AGENTS.md)
- Generates the fix with Claude Sonnet 4
- Validates the fix re-passes the gate
- Writes a regression test for the bug
- Pair-reviews the fix with a second Claude
~38 seconds, ~$0.02 in Anthropic API spend per fix on the $99 tier. Margin: 100x.
A fix PR lands in your repo
+ import { resolveTenantCapForHotPath }
+ from "./quotas";
const handler = createSomething({
tenantCapResolver:
resolveTenantCapForHotPath,
...
});
✓ Tests added (1) ✓ Gate greenOne-click “Commit suggestion” in GitHub. CI re-runs green. You wake up to a merged fix instead of a 47-message Slack thread.
No other tool ships scan + fix + regression test + pair-review + cross-finding correlation on pay-per-scan pricing. We do.
Twelve tools. One config.
One bill.
Hover any tile to see the GateTest module that replaces it. The full table's in the breakdown below — 30+ tools across the entire QA stack.
--module security--module codeQuality--module lint--module e2e--module compatibility--module performance--module accessibility--module dependencies--module dependencies--module dockerfile--module terraform--module ciSecurityunitTestse2elintsecuritydependenciesdockerfileciSecurityshellsqlMigrationsterraformkubernetespromptSafetyaiGuardrailsdeadCodesecretRotationwebHeaderstypescriptStrictnessimportCycleredosperformanceaccessibilityvisualcodeQualitysecretslinksPlus 12 more modules with no direct competitor: AI code review, fake-fix detector, mutation testing, chaos / fuzz pass, autonomous exploration, live crawling, data integrity, documentation validation, compatibility analysis, integration-test detection, CI generation, SARIF output.
Four layers. Compounding.
Every competitor either ships pattern matchers (cheap, brittle) or ships LLM-only fixes (slow, expensive, hallucinates). We stack four deterministic layers in front of Claude. Most fixes never reach the LLM. Margin works. Quality compounds.
AST fix
Deterministic transforms on the parse tree.
rejectUnauthorized: false → true. httpOnly: false → true. The compiler proves correctness; no LLM needed.
Rule fix
Codemod recipes per finding class.
Wildcard CORS origin + credentials. Missing CSP. Cookie hardening. One regex-bounded rewrite per pattern.
Recipe lookup
Cached fixes from every prior scan, compounding.
When a scan resolves a novel finding, the diff is stored. Next time that finding shape arrives — local or someone else's repo — we apply the cached patch.
Claude
Only the genuinely novel cases reach the LLM.
Iterative loop with N retries, syntax gate, scanner re-validation, pair-review on $199+, attack-chain correlation on $399.
Self-healing CI
When CI breaks, the agent reads the failing log, walks back to the failing line, applies the right layer (AST → rule → recipe → Claude), runs the gate again, opens a PR. You review the diff and merge. The build was red for fifteen minutes; you didn't have to look at it. The recipe layer remembers, so the next time the same failure happens — your repo or someone else's — it's fixed before you see it.
How it actually worksLayer percentages are derived from our own self-scan + the four real-repo proofs in docs/proofs/. Your mileage will vary by tier and codebase shape.
Trust the green.
GateTest runs against itself on every push to main. If our own gate were red we'd have no business asking you to use it. Below is the live status panel — same shape you'll see on your repo.
The self-scan workflow lives in .github/workflows/ci.yml. Bible Forbidden #24 means continue-on-error: true is banned on the gate step — so a red gate would block the commit, not just warn.
Zero config. Zero ceremony.
One npx command for local. One YAML file for CI. The whole thing runs on Node 20+. No build step, no Docker image, no daemon.
$ npx gatetest --suite quick# scan a single repo locally
$ npx gatetest --suite quick
# all 110 modules, blocking gate
$ npx gatetest --suite full
# scan a public website
$ npx gatetest --url https://yoursite.com
# watch mode — re-run on every file change
$ npx gatetest --watch
# .github/workflows/gatetest.yml
name: GateTest
on: [push, pull_request]
jobs:
gate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
- run: npx gatetest --suite full --reporter sarif
# NOTE: do NOT add continue-on-error: true here
# The whole point of a gate is that it gates.
Zero dependencies. Zero telemetry by default. Source is on GitHub — MIT-licensed. The CLI itself is free; the auto-fix tiers are paid.
Pay when it's done. Not before.
One-time payment per scan via Stripe. We run the scan and deliver the report. On Scan + Fix and Forensic Scan tiers Claude also opens the fix PR. No subscription, no auto-renew.
2. Choose a scan tier below
Quick Scan
Essential checks. Syntax, linting, secrets, and code quality. Scan-only — no auto-fix.
By continuing you agree to our Terms, Privacy Policy, and Refund Policy.
- ✓Syntax & compilation validation
- ✓Linting checks
- ✓Secret & credential detection
- ✓Code quality analysis
- ✓Detailed report with file & line numbers
- ✓Scan-only — auto-fix is a Scan + Fix tier feature
- ✓Per-scan payment — no subscription
Full Scan
Every module. Security, accessibility, SEO, AI code review, and more. Scan-only — no auto-fix.
By continuing you agree to our Terms, Privacy Policy, and Refund Policy.
- ✓Everything in Quick Scan
- ✓Security (OWASP, XSS, SQLi, SSRF, ReDoS, TLS, cookies)
- ✓Accessibility (WCAG 2.2 automated audit — AA + AAA-aligned)
- ✓Supply chain — typosquats + license compliance
- ✓IaC security — Dockerfile, K8s, Terraform
- ✓CI/CD hardening — unpinned actions, permissions
- ✓Auth flaws — JWT, bcrypt, cookies
- ✓Migration safety — dangerous SQL patterns
- ✓Flaky test detector
- ✓AI code review by Claude
- ✓Scan-only — auto-fix is a Scan + Fix tier feature
Scan + Fix
Full Scan plus a second-Claude pair-review on every fix and a codebase-shape architecture report.
By continuing you agree to our Terms, Privacy Policy, and Refund Policy.
- ✓Everything in Full Scan
- ✓Pair-review critique on every fix — second Claude scores correctness, completeness, readability, test coverage
- ✓Architecture annotator — design observations on codebase shape (layering, duplication, god objects)
- ✓Both reports posted as separate PR comments
- ✓Iterative fix loop with N retries — Claude learns from its own failed attempts
- ✓Cross-file syntax + scanner gates — broken fixes never ship
- ✓Regression test for every fix — your suite gets stronger when you merge
Forensic Scan
The deepest scan we offer. Real Claude diagnosis, attack-chain correlation, board-ready CISO report, executive summary.
By continuing you agree to our Terms, Privacy Policy, and Refund Policy.
- ✓Everything in Scan + Fix
- ✓Real Claude diagnosis on every finding — no templated snippets, every fix reasoned from your specific evidence
- ✓Cross-finding attack-chain correlation — textbook session-forgery / supply-chain / rotation-impossible vectors that per-finding scanners can never see
- ✓CTO-readable executive summary — single document, plain language, real recommendations
- ✓Board-ready CISO report (OWASP Top 10, SOC2, CIS v8, 30/60/90-day roadmap) — attached to every PR
- ✓Best margin if you're shipping money or PII — the $399 hits all the high-stakes bug classes
- ✓Also available via the GitHub Action: mutation testing (mutates your source against your tests) and chaos / fuzz pass (adversarial inputs against HTTP routes, CLI args, file parsers) — runs wherever your CI runs, set mutation: true / chaos: true on the action
Self-hosted scanner · private infra · SLA
Everything in Forensic Scan, run inside your network or VPC. Dedicated account manager, signed SLA, custom modules, custom suppression policies, audit log export. For regulated industries (fintech, healthcare, defence) and orgs with strict data-residency rules.
- ✓On-prem or private-VPC deployment
- ✓Dedicated infra, no shared compute
- ✓Signed SLA, support response targets
- ✓Custom modules + suppression policies
Pen Test · live exploit probes · $999
Everything in Forensic Scan, PLUS live active probing of your URL with industry-standard payload classes — SQL injection (error/boolean/timing), reflected XSS, path traversal, IDOR, auth-bypass headers, open redirect, CSRF. Signed Rules of Engagement, DNS-TXT ownership verification, full audit trail. Most of the value of a $5,000 human pen test for $999.
- · Live payload probes (non-destructive)
- · DNS-TXT domain-ownership verification
- · Signed Rules of Engagement
- · Per-host rate limiting (don't take down your prod)
- · Cryptographic audit log of every probe
Continuous
Scan every push. Weekly scheduled deep scan. Email on score regression.
- ✓Scan on every push (GitHub App or Gluecron-host)
- ✓Weekly full-suite scheduled scan
- ✓Email + Slack on score regression
- ✓Trend dashboard — see your gate getting greener week-over-week
All scans include a detailed report. The AI fix PR is included on the Scan + Fix ($199) and Forensic Scan ($399) tiers. Per-scan payment via Stripe. Once a scan delivers, the service is rendered — refunds at our discretion for non-delivery only.
Common skeptical questions.
Answers calibrated for the engineer who showed up from a Hacker News thread. We are too.
Is this just another AI tool?
Is my code stored anywhere?
Why not just ESLint + Snyk + the other 10 tools?
Per-scan pricing — what's the catch?
Is the gate actually strict?
continue-on-error: true on the gate step. We dog-food this: our own self-scan is a hard gate on every push to main. If a competitor lets you silently skip a failing check, that's how 80% of the wins in QA-platform marketing slip into prod anyway.Can I trust an AI to repair my CI?
docs/proofs/.Still have questions? hello@gatetest.ai · file an issue
Scans every major framework, runtime, and infra primitive
Eaten our own dog food
GateTest currently protects Crontech.ai and Gluecron.com as a CI gate.
Same engine, same rules, same gate. The integration script is published — feel free to clone the workflow.