Live in beta · 120 modules in the gate

Your CI just went red.
Minutes later, there's a PR with the fix.

120checks. One gate. We catch the bug, security hole, or CI rot that crashes your deploy — then open a pull request with the fix already written, tested, and pair-reviewed by a second AI.

Pay per scan — no subscription, no minimum. Built on Claude Sonnet 5.

Free preview — top 3 issues plus your Health Score. No signup, no install.

Try a samplePlayground →
github.com/your-org/your-repo/pull/248
Gate green
pull request #248
fix: define resolveTenantCapForHotPath
apps/api/src/cdn/handler.ts
- ReferenceError: not defined
+ import { resolveTenantCapForHotPath }
+   from "./quotas";
✓ 1 regression test added✓ pair-reviewed✓ 38s · ~$0.02
One gate replaces
SonarQubeSnykESLintSemgrepCodeQLDeepSource+ 6 more
6,200+
tests passing, every commit
120
modules in one gate
120/120
green on our own repo
$29+
per scan · no subscription
What you get

From red CI to merged fix — while you sleep.

Most tools tell you what's broken. We open the PR that fixes it. This is what a single GateTest run looks like, end-to-end.

Step 1·02:14 UTC
CI failed

A test breaks on main

× vapron-api.service failed
  ReferenceError: resolveTenantCapForHotPath
    is not defined
  at apps/api/src/cdn/handler.ts:65:22
  Bun v1.3.14 (Linux x64)

  ::error file=apps/api/src/cdn/handler.ts,
    line=65::ReferenceError

A real Vapron failure from 2026-05-24. The api crashed at module load. Rollback also failed.

Step 2·02:14 + 38s
GateTest working

Auto-fix runs while you sleep

  • Re-runs the gate to isolate the failing module
  • Reads the project conventions (README, AGENTS.md)
  • Generates the fix with Claude Sonnet 5
  • Validates the fix re-passes the gate
  • Writes a regression test for the bug
  • Pair-reviews the fix with a second Claude

~38 seconds, ~$0.02 in Anthropic API spend per fix on the $99 tier. Margin: 100x.

Step 3·02:15 UTC
PR opened

A fix PR lands in your repo

+ import { resolveTenantCapForHotPath }
+   from "./quotas";

  const handler = createSomething({
    tenantCapResolver:
      resolveTenantCapForHotPath,
    ...
  });

✓ Tests added (1)  ✓ Gate green

One-click “Commit suggestion” in GitHub. CI re-runs green. You wake up to a merged fix instead of a 47-message Slack thread.

No other tool ships scan + fix + regression test + pair-review + cross-finding correlation on pay-per-scan pricing. We do.

What it replaces

Twelve tools. One config.One bill.

Hover any tile to see the GateTest module that replaces it. The full table's in the breakdown below — 30+ tools across the entire QA stack.

Snyk
We replace this
--module security
OWASP + supply chain + CVE database, no SaaS lock-in.
SonarQube
We replace this
--module codeQuality
Same rules, no Java daemon, no per-seat seat tax.
ESLint
We replace this
--module lint
Plus 90 more checks ESLint never tries to run.
Cypress
We replace this
--module e2e
Browser E2E plus 89 things Cypress doesn't do.
BrowserStack
We replace this
--module compatibility
Cross-browser matrix, no monthly device farm bill.
Lighthouse
We replace this
--module performance
Perf, SEO, A11y unified — and gate-blocking, not advisory.
axe-core
We replace this
--module accessibility
WCAG 2.2 automated audit (AA + AAA-aligned) — built in, not a separate plugin.
Renovate
We replace this
--module dependencies
Polyglot freshness + CVE fix-PR, not just notifications.
Dependabot
We replace this
--module dependencies
Same scope, plus typosquats, license risks, lockfile drift.
hadolint
We replace this
--module dockerfile
Dockerfile lint + secrets + curl|sh + chmod 777 hunting.
tfsec
We replace this
--module terraform
Terraform / Pulumi / CDK security — same gate as everything else.
actionlint
We replace this
--module ciSecurity
Plus unpinned actions, pwn-request, permissions hygiene.

Head to head

The others tell you what's wrong. GateTest fixes it, proves it, and lets you drive.

CapabilityGateTestSonarQubeSnykDeepSource
Finds bugs, security holes & CI rotSnyk is dependency/security-focused~
Opens the fix as a real pull requestothers: dep bumps or suggestions only~~
Re-scans to PROVE the fix worked
You pick the AI model
Bring your own API key
Pay per scan — no per-seat tax
One gate across the whole stack120 modules, one verdict

yes · ~ partial · no. Competitor cells reflect each product's default offering as of 2026.

Jest / Vitest / MochaunitTests
Cypress / BrowserStack / Sauce Labse2e
ESLint / Stylelintlint
Snyk / npm auditsecurity
Renovate / Dependabotdependencies
hadolint / dockle / docker benchdockerfile
actionlint / StepSecurity / zizmorciSecurity
shellcheck / bashate / shfmtshell
squawk / gh-ost / pg-osc / Strong MigrationssqlMigrations
tfsec / Checkov / Terrascan / KICSterraform
kube-score / kubeaudit / Polaris / Kubeseckubernetes
LLM Guard / Lakera Guard / Rebuff (static slice)promptSafety
Promptfoo / Garak / Lakera Red (dynamic scenario testing — Forensic tier)aiGuardrails
ts-prune / knip / VulturedeadCode
gitleaks / secretlint / dotenv-lintersecretRotation
securityheaders.com / Mozilla ObservatorywebHeaders
type-coverage / @typescript-eslint/no-explicit-anytypescriptStrictness
madge --circular / dependency-cruiserimportCycle
safe-regex / recheckredos
Lighthouseperformance
axe / pa11yaccessibility
Percy / Chromaticvisual
SonarQubecodeQuality
git-secrets / truffleHogsecrets
broken-link-checkerlinks

Plus 12 more modules with no direct competitor: AI code review, fake-fix detector, mutation testing (via GitHub Action), chaos / fuzz pass (via GitHub Action), autonomous exploration, live crawling, data integrity, documentation validation, compatibility analysis, integration-test detection, CI generation, SARIF output.

The engine

What the 120 modules actually check

One command runs all 120— deterministic, zero AI tokens, under a minute. One verdict at the end. Here's what's inside the gate.

Source & quality

12

The foundation. Catches the bugs every linter and compiler should have caught but didn't.

Security

15

OWASP-grade scanning that goes beyond CVE lookups into your actual code paths.

Reliability

11

The bugs that don't break on your machine but break in production at 3am.

Web & UX

22

Surfacing the user-visible problems static analysis usually pretends don't exist.

Infrastructure

19

Catches the supply-chain takeovers, container exploits, and CI/CD foot-guns.

Developer hygiene

10

Pulls bad-process bugs out of CI before they cost a 90-minute review.

AI & advanced

9

Where deterministic scanning stops and reasoning starts. Used sparingly, not by default.

Scanning & testing

2

The classic suite — unit, integration, end-to-end — wired into the same gate as everything else.

Language coverage

9

Nine non-JS language backends. Same engine, language-aware patterns.

WordPress

6

Live-URL probes for the wp.gatetest.ai product. Run against any public WordPress site.

Live pen-test probes

Soon

Active probes against your running site. Pen Test tier only — requires explicit written authorization for the target.

The flywheel

Four layers. Compounding.

Every competitor either ships pattern matchers (cheap, brittle) or ships LLM-only fixes (slow, expensive, hallucinates). We stack four deterministic layers in front of Claude. Most fixes never reach the LLM. Margin works. Quality compounds. And every fix is re-scanned to prove it worked— we don't tell you it's fixed, we show you the green.

01~47%

AST fix

cost per fix: $0

Deterministic transforms on the parse tree.

rejectUnauthorized: false → true. httpOnly: false → true. The compiler proves correctness; no LLM needed.

02~22%

Rule fix

cost per fix: $0

Codemod recipes per finding class.

Wildcard CORS origin + credentials. Missing CSP. Cookie hardening. One regex-bounded rewrite per pattern.

03~16%

Recipe lookup

cost per fix: $0

Cached fixes from every prior scan, compounding.

When a scan resolves a novel finding, the diff is stored. Next time that finding shape arrives — local or someone else's repo — we apply the cached patch.

04~5%

Claude

cost per fix: ~$0.03

Only the genuinely novel cases reach the LLM.

Iterative loop with N retries, syntax gate, scanner re-validation, pair-review on $199+, attack-chain correlation on $399.

Self-healing CI

When CI breaks, the agent reads the failing log, walks back to the failing line, applies the right layer (AST → rule → recipe → Claude), runs the gate again, opens a PR. You review the diff and merge. The build was red for fifteen minutes; you didn't have to look at it. The recipe layer remembers, so the next time the same failure happens — your repo or someone else's — it's fixed before you see it.

How it actually works

Layer percentages are derived from our own self-scan + the four real-repo proofs in docs/proofs/. Your mileage will vary by tier and codebase shape.

You control the AI

Your key, or ours. Your model, or our pick.

The 120-module scan runs on zero AI tokens — pure deterministic speed. When a fix needs real intelligence, you decide how it's powered. No other QA tool lets you do this.

Bring your own key

Point GateTest at your own ANTHROPIC_API_KEY. You pick the model, you own the spend, and there's no cap. Calls go straight from your machine to Anthropic — never through our servers.

  • Your usage, your bill, your control
  • Any of the three models, per fix
  • Works on CLI, MCP, and the web fix route
Or use ours

No key? We supply one. Usage is metered and budget-capped — every fix is priced at the model that actually ran, so there are no surprises on the bill. Just run the scan and take the PR.

  • Nothing to set up — buy a scan and go
  • Hard budget cap — never a runaway bill
  • Fable 5 on the paid fix tiers by default

Sonnet 5

Default

Fast and cheapest. The default for scans, chat, and everyday fixes.

Opus 4.8

Deeper

Heavier reasoning when a fix is subtle or spans many files.

Fable 5

Most capable

The most capable model Anthropic ships — powers the $199 / $399 fix tiers.

SonarQube can't fix it. Snyk can't fix it. DeepSource picks the model for you. GateTest hands you the keys.

MCP tools for AI agents

Give Claude eyes, ears & hands

The three things every AI coding agent is missing — it writes UI it can't see, guesses at errors it can't read, and claims “fixed” without proof. GateTest closes all three over one connection: 24 tools driven by the full 120-module engine, in Claude Code, Cursor, Windsurf, and any MCP agent.

EYES

See the rendered page

AI agents write UI they never actually see.

capture_screenshot returns a real JPEG/PNG of the rendered page — nav, layout, font sizes, broken CTAs — so the AI reviews its work exactly like a developer looking at a browser tab.

// See the rendered page — works with localhost too
capture_screenshot({
  url: "http://localhost:3000/pricing",
  width: 390  // mobile viewport
})
// → returns an actual image the AI can see

Use after every UI change

EARS

Hear what's breaking

AI agents guess what's broken instead of reading the real errors.

get_production_errors pulls your top errors from Sentry, Datadog, or Rollbar with file:line attribution. run_live_checks catches JS errors, console warnings, API timeouts, and CSP violations on any live URL — including localhost.

// Fix what production says is broken, first
get_production_errors({ source: "all" })
// → TypeError: cart is undefined | src/checkout.ts:44 | 412 occurrences

// Or check your local dev server right now
run_live_checks({ url: "http://localhost:3000" })
// → apiHealth: 2 broken, runtimeErrors: CSP violation on /dashboard

Use before deciding what to fix

HANDS

Prove the fix worked

AI agents claim “fixed” without re-checking anything.

verify_fix picks the scan modules relevant to your changed files, re-runs them in-process, and returns a hard ✅/❌ scoped to exactly what was edited. No assumptions — proof.

// After editing — prove it actually worked
verify_fix({
  path: "/your/project",
  files: ["src/auth/session.ts"]  // exactly what you edited
})
// ✅ FIX VERIFIED — 0 error-severity findings remain
// ❌ NOT VERIFIED — secrets: hardcoded key still at line 14

Use after every code edit

Add to Claude Code in 30 seconds

Works with any MCP-compatible AI — Claude Code, Cursor, Windsurf, Continue, Cline. No account, no webhook, no infra. The engine runs in-process on your local filesystem.

$ claude mcp add gatetest -- npx @gatetest/cli --mcp
Don't trust us

Trust the green.

GateTest runs against itself on every push to main. If our own gate were red we'd have no business asking you to use it. Below is the live status panel — same shape you'll see on your repo.

crclabs-hq/gatetest  ·  main  ·  gate · 81d6382MEASURED
Our own gate
GREEN41/41 modules · 0 blocking errors · measured 2026-07-12
View CI runs
syntax
lint
secrets
codeQuality
security
ssrf
tlsSecurity
cookieSecurity
accessibility
performance
ciSecurity
dockerfile
kubernetes
dependencies
redos
money-float
...25 more modules in this scan
Scan time
89.7s
Last run
2026-07-12
Soft-fail policy
Never
Errors: 0 · Warnings: 548· Modules passed: 41/41

The self-scan workflow lives in .github/workflows/ci.yml. Bible Forbidden #24 means continue-on-error: true is banned on the gate step — so a red gate would block the commit, not just warn.

Install

Zero config. Zero ceremony.

One npx command for local. One YAML file for CI. The whole thing runs on Node 20+. No build step, no Docker image, no daemon.

60 seconds · from npx to gate
$ npx gatetest --suite quick
CLI cheat-sheet
# scan a single repo locally
$ npx @gatetest/cli --suite quick

# all 120 modules, blocking gate
$ npx @gatetest/cli --suite full

# scan a public website
$ npx @gatetest/cli --url https://yoursite.com

# watch mode — re-run on every file change
$ npx @gatetest/cli --watch
CI · GitHub Actions
# .github/workflows/gatetest.yml
name: GateTest
on: [push, pull_request]

jobs:
  gate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
      - run: npx @gatetest/cli --suite full --reporter sarif
        # NOTE: do NOT add continue-on-error: true here
        # The whole point of a gate is that it gates.

Zero dependencies. Zero telemetry by default. Source is on GitHub — MIT-licensed. The CLI itself is free; the auto-fix tiers are paid.

The real math

The scanner isn't the cost. The ten tools it replaces are.

The fragmented stack

Each with its own config, dashboard, and per-seat bill.

SonarQubeSnykESLintBrowserStackLighthouse CIRenovateDependabothadolinttfsecgitleaks+ 10 more
  • · 10+ dashboards to check, 10+ invoices to reconcile
  • · Per-seat pricing — the bill grows with headcount, not usage
  • · No tool talks to the others — findings never correlate

GateTest

One engine, 120 modules, one decision.

  • One config file, one gate — pass or the build stops
  • Pay per run ($29–$399) or $49/mo continuous — no seats
  • Free forever on the CLI: npx @gatetest/cli
  • Findings correlate into attack chains no single linter sees

Enterprise plans for SonarQube + Snyk alone run well into five figures a year. GateTest bills on what you scan, not how many engineers you employ.

Real scan · real production repo

Not a demo. Here's what one run found.

575
code-quality issues
(file length, dead logs, complexity)
14
exposed secrets across
14 different files
2
critical attack chains
the correlator assembled

The 14 secrets each look survivable in isolation. GateTest's correlator connected them into two critical chains a linter would never report: hard-coded credentials in a frontend component plus an admin onboarding route → credential exposure and admin takeover; and a leaked queue-client secret in auto-deploy scripts → supply-chain takeover via CI.

Verbatim from a real scan of a production codebase — full report in docs/proofs/. We publish the receipts because "AI finds your bugs" is a crowded, over-promised space and you should be skeptical.

Why this isn't a fad

We're already on Fable 5— and the same failure modes remain. The model still can't see the rendered page, doesn't know what production is throwing, and can't prove its own fix worked. GateTest is the permanent layer around that: a deterministic gate, real senses, and proof — not a bet on one model generation.

Pay only when it fixes something

Quick and Full scans are free via the open-source CLI — npx @gatetest/cli --suite full. Pay per run only for auto-fix and deeper AI analysis, or subscribe for continuous protection.

Quick Scan

4-module rapid scan: syntax errors, lint violations, exposed secrets, and code quality. Results in seconds.

$29/ per run
  • Syntax Error Detection
  • Lint Violation Scanner
  • Secret & API Key Exposure
  • Code Quality Baseline
  • JSON / SARIF / JUnit Output
  • Scan-only (no auto-fix)

Full Scan

All 120 modules: security, supply chain, auth hardening, CI security, AI safety, and more.

$99/ per run
  • All 120 Specialized Modules
  • Security & Auth Hardening
  • Supply Chain & Dependency Audit
  • CI/CD & Container Security
  • AI Safety & Prompt Protection
  • Scan-only (no auto-fix)
Most Popular

Scan + Fix

120-module deep scan with iterative auto-fix PR, pair-review agent, and architecture annotations.

$199/ per run
  • All 120 Specialized Modules
  • Iterative Fix Loop (up to 3 retries per finding)
  • Cross-Fix Syntax + Scanner Gate
  • Regression Test Generated per Fix
  • Pair-Review Agent (4-axis critique)
  • Architecture Annotator Report
  • Automated PR with Before/After Table

Forensic Scan

Everything in Scan+Fix plus Claude-driven per-finding diagnosis, attack-chain correlation, and executive summary.

$399/ per run
  • Everything in Scan + Fix
  • Per-Finding Claude Diagnosis
  • Cross-Finding Correlation (attack chains)
  • Executive Summary (CTO-ready)
  • Board-Ready CISO Report
  • Mutation Testing via GitHub Action
  • Chaos/Fuzz Pass via GitHub Action

Subscriptions

Claude Integration

MCP Integration

Give Claude eyes, ears & hands: the full 120-module scanner inside Claude Code, Cursor, or any MCP agent — see the page, read production errors, and prove every fix worked.

$29/ per month
  • Eyes — screenshot any URL or localhost
  • Ears — pull Sentry / Datadog / Rollbar errors
  • Hands — verify_fix proves the fix worked
  • Full 120-module local scans (vs 4 free)
  • AI fix + diagnose (fix_issue, explain_finding)
  • API key delivered by email instantly

Continuous Guard

Unlimited deterministic scans on every push. AI reviews metered by monthly allowance.

$49/ per month
  • Unlimited Deterministic Push Scans
  • AI Review Allowance ($10/mo default)
  • Continuous AI Ledger Protection
  • Real-Time Pipeline Trace Feed
Coming soon

Live Security Scan — penetration testing, minus the consultancy

Point GateTest at your own live site and it will run safe, non-destructive security probes against it — the checks a penetration tester runs first, automated, repeatable, and only ever against a target you own and have authorized.

  • Authentication & session probing — login flows, cookie flags, session fixation
  • Injection canaries — safe, non-destructive SQL & XSS probes with proof-of-reach only
  • Security-header & TLS posture — CSP, HSTS, certificate chain, cipher grades
  • Exposed-surface sweep — open admin panels, debug endpoints, directory listings

Be first to know when it’s ready:

One email when it launches — nothing else. Questions? hello@gatetest.ai

FAQ

Common skeptical questions.

Answers calibrated for the engineer who showed up from a Hacker News thread. We are too.

Is this just another AI tool?
No. The deterministic engine ships first — AST, regex, file walkers across 120 modules, no LLM in the loop. Claude only enters when the deterministic layers can't resolve a finding (roughly 5% of fixes). The 4-layer flywheel architecture is the moat.
Is my code stored anywhere?
No. Scans are ephemeral. We clone, run the engine, post the report, delete the clone. The repo never leaves your CI environment when you install the GitHub Action — we never see it. For paid scans run from our infra, the working copy lives on a Vercel function for the duration of the scan and is gone when the response returns. Privacy policy.
Why not just ESLint + Snyk + the other 10 tools?
You can. Most teams do. The question is who maintains the compose-of-ten — and who pays the per-seat tax across all of them. We replace 30+ tools with one CLI, one config, one bill. See the full replacement table or compare us tool-by-tool.
Per-scan pricing — what's the catch?
None. You pay once via Stripe at checkout, we run the scan, you get the report. No subscription, no auto-renew, no per-seat billing. If the scan fails to start or crashes mid-way, contact hello@gatetest.ai — we re-run it or issue a credit at our discretion. Scan-finish rate is well above 99% on real repos, so this rarely happens.
Is the gate actually strict?
Yes. Bible Forbidden #24 outright bans continue-on-error: true on the gate step. We dog-food this: our own self-scan is a hard gate on every push to main. If a competitor lets you silently skip a failing check, that's how 80% of the wins in QA-platform marketing slip into prod anyway.
Can I trust an AI to repair my CI?
The fix-flow is layered for exactly that reason: AST → rule recipe → cached pattern → Claude. Each layer's output passes a syntax gate and a scanner re-validation gate before the PR opens. Claude never auto-merges — it opens a PR you review. At the $199+ tiers a second Claude pair-reviews every fix on a 4-axis rubric (correctness, completeness, readability, test coverage). Real outputs are documented in docs/proofs/.

Still have questions? hello@gatetest.ai · file an issue

The Stack

One team. Three products. Zero lock-in.

GateTest keeps your code honest. Gluecron hosts your git. Vapron runs your scheduled jobs. Each stands alone — together they cover the whole “real software in production” problem.

Gc

Gluecron

gluecron.com

The git host built around Claude.

Git hosting built for small teams — no tickets, no politics. GateTest is wired into it natively: every push lands on Gluecron's Signal Bus and triggers a scan from the same queue that serves GitHub.

  • Push-to-scan: GateTest gates merges natively
  • Built by the same team, used every day
  • Independent product — no bundle lock-in

Dogfooded hard: GateTest's Forensic scan ran against Gluecron's own codebase — full findings published in the Hall of Scans.

V

Vapron

vapron.ai

Scheduled jobs that actually run. Cron with receipts.

AI-native, edge-first, zero ops. The cron and background jobs that power your product — run with receipts, so "did the job fire?" is never a mystery again.

  • Production scheduling without babysitting
  • GateTest guards its codebase on every push
  • Independent product — use it alone or together

Dogfooded hard: the live demo on this page replays a real Vapron failure that GateTest caught and fixed. Full scan in the Hall of Scans.

Scans every major framework, runtime, and infra primitive

Next.jsReactVueExpressFastifyNestPrismaDrizzleMongoPostgresDockerKubernetesTerraformAWSGCPAzurePythonGoRustJavaRubyPHPC#KotlinSwift

Eaten our own dog food

GateTest currently protects Vapron.ai and Gluecron.com as a CI gate.

Same engine, same rules, same gate. The integration script is published — feel free to clone the workflow.