BETA · GateTest is in active polish ahead of public launch. Some flows are rough. Found a bug? hello@gatetest.ai — we're reading every message.
All 104 modules

One scan. 104 modules. Every QA check unified.

GateTest runs 104 distinct checks against your codebase — security, infrastructure, accessibility, performance, code quality, AI-app safety, and more. Each module is the GateTest equivalent of a separate tool: Snyk, SonarQube, Semgrep, ESLint, hadolint, kube-score, axe, Lighthouse, and 20 more. One config, one bill.

Click any module to see what it catches, example findings, pricing tiers it's included on, and how the AI auto-fix loop handles it.

Source & quality

The foundation. Catches the bugs every linter and compiler should have caught but didn't.

12 modules in this category

Syntax
syntax
Validates JS, TS, JSON, YAML, CSS, HTML.
Lint
lint
ESLint, Stylelint, language-aware style rules.
Code Quality
codeQuality
console.log, debugger, TODO/FIXME, eval, innerHTML, complexity.
Dead Code
deadCode
Unused exports across JS/TS/Python, orphaned files, rotting commented-out blocks.
Typescript Strictness
typescriptStrictness
tsconfig regressions, @ts-ignore abuse, any-leak detection on exported signatures.
Documentation
documentation
README, CHANGELOG, LICENSE, JSDoc coverage, env documentation.
Duplicate Code
duplicateCode
Copy-pasted blocks that should be extracted into utilities.
Import Cycle
importCycle
Circular dependencies that cause runtime TDZ / undefined-import bugs.
Async Iteration
asyncIteration
Async callbacks handed to .reduce/.filter/.some/.every/.forEach/.map where Promise semantics silently break.
Datetime Bug
datetimeBug
Naive datetimes, JS 0-vs-1 month, moment-legacy.
Money Float
moneyFloat
IEEE-754 precision loss on currency-named variables.
Homoglyph
homoglyph
Trojan Source bidi overrides, Cyrillic/Greek letters in Latin identifiers, zero-width chars.

Security

OWASP-grade scanning that goes beyond CVE lookups into your actual code paths.

15 modules in this category

Security
security
OWASP patterns, XSS, SQL injection, innerHTML, shell exec, Docker misconfigs.
Secrets
secrets
AWS keys, GitHub tokens, Stripe keys, passwords, private keys, DB strings.
Secret Rotation
secretRotation
Long-lived credentials in git, .env drift, placeholder/real example mismatch.
Ssrf
ssrf
User-controlled URLs handed to fetch/axios/got/node-http without validation.
Tls Security
tlsSecurity
rejectUnauthorized:false, verify=False, NODE_TLS_REJECT_UNAUTHORIZED=0.
Cookie Security
cookieSecurity
httpOnly:false, weak session secrets, SESSION_COOKIE_* misconfigs.
Redos
redos
Catastrophic-regex detector: nested quantifiers, overlapping alternation, user-controlled patterns.
Auth Bypass
authBypass
Routes missing authentication.
Cross File Taint
crossFileTaint
Cross-file taint analysis — user input → dangerous sinks across module boundaries.
Webhook Payload
webhookPayload
Webhook handlers that use req.body without validation.
Log Pii
logPii
Credentials, tokens, and request objects logged in plaintext.
Wp Exposed Files
wpExposedFiles
WordPress: sensitive files exposed via public webroot (wp-config.php.bak, debug.log, .git, .env, SQL backups).
Wp Xmlrpc Exposed
wpXmlrpcExposed
WordPress: /xmlrpc.php exposed (brute-force amplification + DDoS reflector + auth-bypass surface).
Wp Malware Patterns
wpMalwarePatterns
WordPress: rendered HTML/JS scanned for known malware signatures (eval(atob), hidden iframes, base64 payloads).
Wp Admin Protection
wpAdminProtection
WordPress: /wp-admin and /wp-login.php checked for rate limit / WAF / 2FA / cookie hardening.

Reliability

The bugs that don't break on your machine but break in production at 3am.

11 modules in this category

Error Swallow
errorSwallow
Empty catch, .catch(noop), callback-err ignored, floating promises, global silent handlers.
N Plus One
nPlusOne
Database calls inside loops across Prisma, Sequelize, TypeORM, Mongoose, Knex, Drizzle.
Retry Hygiene
retryHygiene
Tight retry loops, no backoff, unbounded retry, retry-on-4xx across fetch/axios/got/node-http.
Race Condition
raceCondition
TOCTOU, get-or-create anti-pattern, lost-update on counters.
Resource Leak
resourceLeak
Unclosed streams, file handles, intervals, sockets across fs/net/ws/events.
Env Vars
envVars
process.env / os.environ reads cross-referenced with .env.example and CI env blocks.
Cron Expression
cronExpression
Invalid / impossible / too-frequent cron strings (Feb 30, * * * * *, typo aliases).
Feature Flag
featureFlag
Stale flags collapsed into constants and dead-branch conditionals.
Intent Verification
intentVerification
AI checks that the diff matches the commit message / PR description.
Regression Predictor
regressionPredictor
AI predicts which files this PR is most likely to break.
Rollback Honesty
rollbackHonesty
Rollback Honesty Checker — verifies advertised rollback path actually rolls back.

Web & UX

Surfacing the user-visible problems static analysis usually pretends don't exist.

13 modules in this category

Accessibility
accessibility
WCAG 2.2 automated audit (AA + AAA-aligned) — missing alt text, ARIA labels, keyboard traps, heading hierarchy.
Performance
performance
Dependency count, bundle size analysis, image optimisation checks.
Visual
visual
Visual & UI Regression Testing.
Seo
seo
Meta tags, Open Graph, structured data, robots.txt, canonical URLs.
Links
links
Every broken href — dead anchors, placeholder links, 404s.
Compatibility
compatibility
Browser matrix validation. Modern API and CSS features without polyfills.
E2e
e2e
End-to-End Test Execution.
Live Crawler
liveCrawler
Live site crawl — 404 / 500 / broken-image / redirect-chain on the live URL.
Explorer
explorer
Autonomous Interactive Element Explorer — clicks every button + form + dropdown via Playwright.
Runtime Errors
runtimeErrors
Live browser runtime errors — uncaught JS, console.error/warn, network 4xx/5xx, CSP violations, hydration mismatches.
Chaos
chaos
Chaos & Resilience Testing — slow network, API failure, offline, missing resources, server timeouts. Runs via the GitHub Action wh
Web Headers
webHeaders
CSP/HSTS/XFO/CORS misconfig across Next.js, Vercel, Netlify, Express, Fastify, nginx.
Cache Headers
cacheHeaders
Cache Headers & CDN Configuration.

Infrastructure

Catches the supply-chain takeovers, container exploits, and CI/CD foot-guns.

18 modules in this category

Dependencies
dependencies
Supply-chain hygiene across npm, pip, Pipenv, Poetry, go.mod, Cargo, Bundler, Composer, Maven, Gradle.
Dockerfile
dockerfile
Root user, :latest tags, curl|sh, apt hygiene, secrets-in-layers, cache bloat.
Ci Security
ciSecurity
GitHub Actions hardening — action pinning, pwn-request, shell injection, secrets-in-logs, permissions.
Ci Param Validator
ciParamValidator
Validates GitHub Actions with: inputs against action schemas.
Shell
shell
Shell script security — curl|sh, unsafe rm, eval injection, hardcoded secrets, set -e, POSIX compliance.
Bash Safety
bashSafety
Bash / Shell Error-Swallow Detector.
Sql Migrations
sqlMigrations
Drop column/table, non-concurrent indexes, NOT NULL without default, blocking constraints, rolling-deploy renames.
Terraform
terraform
Public buckets, wildcard ingress, hardcoded secrets, missing encryption, IAM wildcards.
Kubernetes
kubernetes
Privileged pods, host namespaces, :latest images, missing limits/probes, dangerous caps.
Systemd
systemd
Systemd Unit File Validator.
Deploy Script Validator
deployScriptValidator
Health-check URL consistency.
Service Consistency
serviceConsistency
ExecStart / Procfile / PM2 vs package.json start script.
Deploy Contract
deployContract
Deploy Contract Validator.
Deploy Readiness
deployReadiness
Aggregate 0-100 deployment confidence score.
Native Bundler Guard
nativeBundlerGuard
Native Node addons that cannot be bundled.
Bundle Size
bundleSize
JS bundles exceeding size budgets.
Env Integrity
envIntegrity
Env-File Integrity Linter.
Prompt Safety
promptSafety
Browser-exposed API keys, unbounded max_tokens, prompt-injection surfaces, deprecated models.

Developer hygiene

Pulls bad-process bugs out of CI before they cost a 90-minute review.

10 modules in this category

Pr Size
prSize
Blocks unreviewably-large pull requests (files / lines / sprawl across top-level dirs).
Pr Quality
prQuality
Weak commit messages, missing tests, mixed deps+code.
Flaky Tests
flakyTests
Committed .only/.skip, real clock/network/timers, env leaks, self-admitted flakes.
Fake Fix Detector
fakeFixDetector
AI-generated symptom patches — skipped tests, swallowed errors, dead code.
Hardcoded Url
hardcodedUrl
localhost / 127.0.0.1 / RFC1918 / internal TLDs / non-TLS URLs leaking into production.
Openapi Drift
openapiDrift
Routes defined in code missing from openapi.yaml, and spec paths with no matching handler.
Trpc Contract
trpcContract
tRPC procedure definitions vs frontend call sites.
Monorepo Constraints
monorepoConstraints
Enforces package boundary rules in apps/ packages/ libs/.
Zod Schema Presence
zodSchemaPresence
React components without runtime prop validation.
Data Integrity
dataIntegrity
Migration safety, SQL injection patterns, PII in logs, database schema validation.

AI & advanced

Where deterministic scanning stops and reasoning starts. Used sparingly, not by default.

8 modules in this category

Ai Review
aiReview
Claude reads your code and finds real bugs — not patterns, actual understanding.
Agentic
agentic
Memory-driven AI investigation — picks hypotheses from past scans, walks the code.
Memory
memory
Codebase memory — compounding intelligence across scans (issue history + fix patterns).
Ai Hallucination
aiHallucination
Fake imports, invented APIs, non-existent methods.
Claude Compliance
claudeCompliance
AI-output rot — mock data in prod, not-implemented stubs, WHAT-not-WHY comment noise, `any` / `@ts-ignore` density.
Undefined Ref
undefinedRef
Variables, functions, methods referenced before they're defined.
Architecture Drift
architectureDrift
AI flags code that violates documented architectural conventions.
Mutation
mutation
Modifies your source code to verify your tests actually catch bugs. Runs via the GitHub Action because it executes your test suite

Scanning & testing

The classic suite — unit, integration, end-to-end — wired into the same gate as everything else.

2 modules in this category

Unit Tests
unitTests
Unit Test Execution.
Integration Tests
integrationTests
Integration Test Execution.

Language coverage

Nine non-JS language backends. Same engine, language-aware patterns.

9 modules in this category

Python
python
eval/exec, bare-except, SQL injection, pickle.
Go
go
Ignored errors, panics, goroutine hygiene.
Rust
rust
unwrap/panic/todo, unsafe block review.
Java
java
System.out, broad catches, empty catches.
Ruby
ruby
eval, shell injection, bare rescue.
Php
php
eval, legacy mysql_, XSS, debug output.
Csharp
csharp
Console.WriteLine, empty catches.
Kotlin
kotlin
!!, TODO(), println.
Swift
swift
fatalError, try!, force-unwrap.

WordPress

Live-URL probes for the wp.gatetest.ai product. Run against any public WordPress site.

6 modules in this category

Wp Version Leak
wpVersionLeak
Where the site leaks its core version (readme.html, meta generator, RSS feed, CSS/JS ver=).
Wp Plugin Cve Check
wpPluginCveCheck
Detects installed plugins via fingerprinting and flags any with known CVEs.
Wp User Enumerate
wpUserEnumerate
Checks if usernames can be enumerated via /?author=1, /wp-json/wp/v2/users, /author/admin/.
Wp Php Version Eol
wpPhpVersionEol
Detects the running PHP version and flags it if end-of-life.
Wp Theme Abandonment
wpThemeAbandonment
Detects the active theme and flags it if abandoned, deprecated, or carrying known CVEs.
Wp Backup Validation
wpBackupValidation
Whether a backup plugin is installed AND whether any backup files are publicly exposed.

104 checks. One scan. From $29.

Per-scan pricing. No subscription. AI auto-fix PR on the Scan + Fix and Forensic Scan tiers.

See pricing →Compare to Snyk