BETA · GateTest is in active polish ahead of public launch. Some flows are rough. Found a bug? hello@gatetest.ai — we're reading every message.
Framework-specific scanning

Code Quality for
Next.js Applications

GateTest understands Next.js — App Router conventions, server actions, Vercel deployment config, next.config.js security headers, and NEXT_PUBLIC_* environment variable exposure. 102 modules built for the way modern Next.js apps are actually structured.

Scan My Next.js App — From $29See All 90 Modules

Modules built for Next.js

These modules have first-class Next.js awareness. Each applies to all JS/TS projects, but understands Next.js-specific patterns.

typescriptStrictness

TypeScript Strict Mode

Quality

Catches tsconfig regressions — strict: false, noImplicitAny: false, skipLibCheck: true. Flags @ts-ignore abuse and any-type leaks in exported signatures.

importCycle

Import Cycle Detection

Reliability

Finds circular imports across App Router pages, layouts, components, and server actions. Uses Tarjan's SCC algorithm — catches the bugs that reproduce randomly based on module-cache order.

webHeaders

Security Headers

Security

Reads next.config.js headers() export and vercel.json. Flags CSP unsafe-eval/unsafe-inline, wildcard CORS with credentials, HSTS max-age below 180 days, missing X-Content-Type-Options.

deadCode

Dead Code / Unused Exports

Quality

Finds unused exports and orphaned files. Understands Next.js App Router conventions — page.tsx, layout.tsx, route.ts, loading.tsx, error.tsx, robots.ts, sitemap.ts are always live exports.

openapiDrift

API Route Drift

Quality

Cross-references openapi.yaml against your app/api/**/route.ts handlers with exported GET/POST/PUT/DELETE functions. Flags undocumented routes and spec ghost routes.

envVars

Env Var Contract

Security

Compares .env.example against actual process.env reads in your codebase. Flags NEXT_PUBLIC_* client-bundled keys, undeclared vars, and declared-but-unreferenced secrets.

accessibility

Accessibility (WCAG 2.2 automated audit — AA + AAA-aligned)

UX

Full accessibility audit — missing alt text, ARIA label gaps, keyboard navigation, focus indicators, color contrast, and structured landmark regions.

performance

Core Web Vitals

Performance

Lighthouse-equivalent performance analysis — LCP, CLS, FID, bundle size, image optimization, font loading, and render-blocking resources.

promptSafety

AI Safety (for AI-powered apps)

Security

Catches NEXT_PUBLIC_* API keys being bundled to the client, missing max_tokens (cost DoS), prompt injection surfaces from user input, deprecated AI models.

cookieSecurity

Cookie & Session Security

Security

Flags httpOnly: false, secure: false, and weak session secrets like 'changeme' or 'keyboard cat' in Next.js session options and API route cookie handlers.

Real bugs in real Next.js apps

error
NEXT_PUBLIC_ANTHROPIC_KEY exposed in client bundle
envVars + promptSafety

Any NEXT_PUBLIC_* variable is bundled into JavaScript sent to every user's browser. GateTest flags this at the CI gate before it reaches production.

error
import cycle: app/components/Modal → app/lib/auth → app/components/Modal
importCycle

Circular imports in Next.js cause random 'undefined' values depending on module-cache initialization order. Tarjan's SCC finds every cycle — not just the obvious ones.

warning
CSP header missing 'upgrade-insecure-requests' in next.config.js
webHeaders

GateTest reads your next.config.js headers() export and validates the full Content Security Policy against OWASP recommendations.

error
await prisma.user.findMany() inside users.map(async u => ...)
nPlusOne

N+1 queries in Next.js Server Components and API routes are invisible to linters. GateTest detects database calls inside loop bodies — including .map(), .forEach(), .filter(), and for loops.

Frequently asked questions

Does GateTest understand Next.js App Router conventions?

Yes. GateTest's dead-code module recognises Next.js App Router reserved exports — page.tsx, layout.tsx, route.ts, loading.tsx, error.tsx, not-found.tsx, robots.ts, sitemap.ts, opengraph-image.tsx — and never flags them as unused, even if nothing explicitly imports them. The openapi-drift module harvests routes from app/api/**/route.ts files with exported HTTP method functions.

Does GateTest check my next.config.js for security issues?

Yes. The webHeaders module reads next.config.js (including the headers() async function), vercel.json, and _headers files. It flags: CSP with unsafe-eval (blocks arbitrary JS execution) or unsafe-inline (XSS risk), wildcard Access-Control-Allow-Origin combined with credentials: true (CORS credential leakage), HSTS max-age below 180 days (HSTS preload ineligible), and missing X-Content-Type-Options (MIME-sniffing attacks).

Can GateTest detect environment variable issues in Next.js apps?

Yes. The envVars module cross-references your .env.example, vercel.json env declarations, and actual process.env.* reads in source code. For Next.js specifically, it flags NEXT_PUBLIC_* variables — these are bundled into client JavaScript and visible to all users. If you accidentally declare NEXT_PUBLIC_STRIPE_SECRET_KEY, GateTest catches it before it ships.

Does GateTest validate TypeScript strictness for Next.js projects?

Yes. The typescriptStrictness module walks your tsconfig.json (including JSONC with comments), tsconfig.app.json, tsconfig.node.json, and any tsconfig.*.json files. It catches: strict: false (error), noImplicitAny: false (error), @ts-nocheck annotations (error), and unreasoned @ts-ignore without an explanation comment (warning). Test tsconfig files are allowed to relax strictness — production configs are not.

Does GateTest scan Next.js Server Actions?

Server Actions are TypeScript/JavaScript source files — all GateTest source-code modules apply: security patterns, N+1 query detection, SSRF checks, error-swallow detection, and AI code review. The agentic module investigates the most suspicious patterns in your action handlers with full context from Claude.

How does GateTest handle Vercel deployment checks?

GateTest reads vercel.json for security header configuration, env var declarations, and cron job expressions. The cronExpression module validates vercel.json crons[].schedule fields — catching impossible cron expressions like '0 0 31 2 *' (Feb 31 — never fires) before they reach production.

Ship Next.js apps with confidence.

102 modules, App Router awareness, AI-powered review on every paid tier, and AI auto-fix PRs at the Scan + Fix tier ($199) and Forensic Scan ($399). Pay only when results are delivered.

Scan My Next.js App — From $29

Card hold only. Charged after successful scan delivery.