API Reference · v1
Scan any GitHub repo programmatically. Every module advertised runs real analysis or returns an honest skipped reason — we never fake-pass.
Every request requires a GateTest API key. Pass it via Authorization: Bearer <key> or the X-API-Key header. Keys start with gt_live_ and are issued from the admin console. Only the hash is stored — keep the plaintext safe.
Two input modes: provide a repo_url (GitHub) or upload files[] directly (any platform — no GitHub required). Same 102 modules, same response format. Typical latency: 5–15 s for quick, 20–60 s for full.
| Field | Type | Required | Notes |
|---|---|---|---|
| repo_url | string | mode A | github.com URL — GateTest reads the repo via API |
| files | {path, content}[] | mode B | Direct upload — send file contents inline (max 100 files, 500 KB each) |
| project | string | no | Label for direct uploads (e.g. "zoobicon") |
| tier | string | no | quick (default, 4 modules) or full (102 modules). Key must be entitled. |
curl -X POST https://gatetest.ai/api/v1/scan \
-H "Authorization: Bearer gt_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"repo_url": "https://github.com/owner/repo",
"tier": "quick"
}'No GitHub required. Send file paths and contents inline — works for any platform, any language, any framework.
curl -X POST https://gatetest.io/api/v1/scan \
-H "Authorization: Bearer gt_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"files": [
{ "path": "src/index.ts", "content": "import express..." },
{ "path": "src/auth.ts", "content": "const secret = ..." }
],
"tier": "full",
"project": "zoobicon"
}'Pass an Idempotency-Key header to deduplicate retries within 24 hours. Useful from CI where a build may retry.
curl -X POST https://gatetest.io/api/v1/scan \
-H "Authorization: Bearer gt_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-H "Idempotency-Key: scan-20260415-build-847" \
-d '{
"repo_url": "https://github.com/owner/repo",
"tier": "full"
}'{
"status": "complete",
"repo_url": "https://github.com/owner/repo",
"tier": "quick",
"modules": [
{
"name": "syntax",
"status": "passed",
"checks": 18,
"issues": 0,
"duration": 42
},
{
"name": "secrets",
"status": "failed",
"checks": 24,
"issues": 1,
"duration": 31,
"details": ["src/config.js: AWS access key"]
},
{
"name": "aiReview",
"status": "skipped",
"checks": 0,
"issues": 0,
"duration": 2,
"skipped": "ANTHROPIC_API_KEY not set — AI review skipped"
}
],
"totalModules": 22,
"completedModules": 22,
"totalIssues": 1,
"duration": 8421,
"authSource": "app",
"key": { "name": "Platform A prod", "prefix": "gt_live_abcd" }
}| Status | Meaning |
|---|---|
| passed | Module ran, performed at least 1 check, found 0 issues. |
| failed | Module found ≥ 1 issue (see details) or threw during execution. |
| skipped | Module could not run honestly (e.g. missing config, nothing to inspect). skipped field explains why. Never treated as a pass. |
| HTTP | Reason |
|---|---|
| 400 | Missing or malformed body / repo_url / tier. |
| 401 | Missing or invalid API key. |
| 403 | Key revoked, or tier not entitled on this key. |
| 429 | Rate limit exceeded. Response body includes rate_limit_per_hour. Respect Retry-After. |
| 500 | Scan crashed — retry with the same idempotency key is safe. |
| 502 | Could not access the GitHub repo. Usually means private repo without a GateTest GitHub App install. |
import fetch from "node-fetch";
const res = await fetch("https://gatetest.ai/api/v1/scan", {
method: "POST",
headers: {
Authorization: `Bearer ${process.env.GATETEST_API_KEY}`,
"Content-Type": "application/json",
"Idempotency-Key": `ci-${process.env.GITHUB_SHA}`,
},
body: JSON.stringify({
repo_url: "https://github.com/owner/repo",
tier: "full",
}),
});
const result = await res.json();
if (result.totalIssues > 0) process.exit(1);Install the GateTest GitHub App on your repo or organisation. GateTest will mint a short-lived installation token at scan time — your API key stays untouched by GitHub.