BETA · GateTest is in active polish ahead of public launch. Some flows are rough. Found a bug? hello@gatetest.ai — we're reading every message.
Compliance regime · Global

SOC 2 compliance — what GateTest actually catches

SOC 2 Trust Services Criteria (Type I and Type II)

By 2026 every Series B SaaS sale in North America requires a Type II report. The Type II window is 6-12 months of evidence, so the technical controls auditors sample (secret rotation, CI-pipeline hardening, supply-chain hygiene) need to be passing in your pipeline NOW.

Run a scan →See the modules

The regime

SOC 2 Trust Services Criteria (Type I and Type II)Global — voluntary attestation framework, but contractually required by most enterprise SaaS buyers.. Effective since 2010 (Trust Services Criteria revised 2017, refreshed 2022).

Maximum penalty: Not a statutory regime — no government fines. The cost of failure is loss of enterprise deals: a failed Type II almost always means a customer pulling the contract.

Authoritative source: https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2

The 3 modules that do the heaviest lifting for SOC 2

Linked to each module's page for the full finding list.

GateTest module
secretRotation
View full coverage →
GateTest module
ciSecurity
View full coverage →
GateTest module
dependencies
View full coverage →

Technical findings GateTest catches for SOC 2

Each item ties a specific code-level pattern to a clause or principle of SOC 2. These are the findings auditors sample.

  • Long-lived credentials never rotated in the last 90+ days — CC6.1 logical-access controls.
  • CI workflow steps with continue-on-error: true on the security gate — CC7.1 change-management control bypass.
  • Unpinned third-party GitHub Actions (actions/checkout@v4 instead of SHA) — CC6.6 supply-chain controls.
  • Wildcard dependency pins ("package": "*" or "latest") in package.json / requirements.txt — CC6.6.
  • Hardcoded secrets in committed source — CC6.1.
  • Vulnerable dependency versions with public CVEs — CC7.1 vulnerability management.
  • Missing .env.example documentation for runtime configuration — CC8.1 change-management evidence.
  • Logging that captures credentials or tokens in plaintext — CC6.1 + CC7.2.
  • Drift between declared .env.example and code's process.env reads — CC8.1 baseline-configuration evidence.

Out of scope — what you still need humans for

GateTest is a code scanner. SOC 2 compliance is a programme, not a tool. These items will never be answerable from source code alone.

  • Defining and documenting your Trust Services Criteria scope.
  • Vendor risk-management program (CC9.2) — that is a procurement workflow.
  • Background checks on engineers (CC1.4) — HR control.
  • Incident response runbooks and tabletop exercises (CC7.3, CC7.4).
  • Auditor selection and the actual Type II engagement.

Where this regime applies

Country-specific guides:

usa

How GateTest fits a compliance programme

GateTest is a code-quality and security scanner. It belongs in your CI pipeline, not in your auditor's office. We catch the technical findings auditors look for — secrets, missing rotation, weak TLS, PII in logs, dangerous dependencies — so the audit becomes a paperwork exercise instead of an emergency.

Pricing

Quick
$29
4 essential modules
Full
$99
All modules — scan only
Scan + Fix
$199
Full scan + AI auto-fix PR
Forensic
$399
Everything + correlation + report

Trust

CLI is MIT-licensedAvailable on GitHub Marketplace soon

Try a $29 Quick scan on your repo

See the SOC 2-relevant findings on your own code in under 15 seconds. Free preview. Pay only if you ship the report.

Start a scan →

Other regulations

GDPR
General Data Protection Regulation
HIPAA
Health Insurance Portability and Accountability Act
CCPA
California Consumer Privacy Act (amended by the CPRA)
PCI DSS
Payment Card Industry Data Security Standard (v4.0)
ISO 27001
ISO/IEC 27001:2022 — Information security management systems