Block pull requests on security findings
Stop a PR from merging when a scan finds a vulnerability
Run GateTest as a required status check on every pull request so any error-severity finding — a leaked secret, an injection, a vulnerable dependency — fails the check and blocks the merge until it's fixed.
The problem
Code review catches design problems, but humans are unreliable at spotting a hardcoded key or a tainted SQL string buried in a 400-line diff at the end of the day. Without an automated gate, whether a vulnerability merges depends on whether a reviewer happened to notice.
The fix is to make 'no new criticals' a precondition of merging, applied identically to every pull request, with the same rigor at 9am on Monday and 6pm on Friday.
How GateTest does it
Add GateTest as a GitHub Action that runs on `pull_request`. It scans the changed code, and any error-severity finding fails the job.
Mark the GateTest check as a required status check in branch protection. Now GitHub itself refuses to merge until the check is green — there's no override short of an admin.
# .github/workflows/gatetest.yml
name: GateTest
on:
pull_request:
jobs:
gate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: crclabs-hq/gatetest-action@v1
with:
suite: full
# error-severity findings fail the job and block the merge
fail-on: errorSteps
- 1Add the GateTest workflow to .github/workflows/.
- 2Open Settings → Branches → branch protection for your default branch.
- 3Enable 'Require status checks to pass before merging' and select the GateTest check.
- 4On the Scan + Fix tier, let GateTest open an auto-fix PR so the gate can go green without manual work.
Frequently asked questions
How do I make GateTest a required check?
Add GateTest as a GitHub Action on pull_request, then enable branch protection on your default branch and select the GateTest check under 'Require status checks to pass before merging'. GitHub then blocks the merge until the check passes.
What severity blocks the merge?
Only error-severity findings fail the job by default. Warnings and info surface in the output without blocking, so the gate stops real problems without becoming noise developers route around.
Put this gate on your repo
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR on the Scan + Fix tier.