Get your CI self-healing
in four steps.
You install one workflow, add one secret, and the next time your CI fails you get a pull request with the fix already written.
Install the workflow
~30 seconds
From the root of any GitHub repo, run the one-liner. It drops three files: the CI workflow, a pre-push hook, and a protection marker. Nothing else changes.
curl -sSL https://raw.githubusercontent.com/crclabs-hq/gatetest/main/integrations/scripts/install.sh | bash
Public or private repos both work. The workflow file only readsyour code — nothing is sent anywhere until CI runs.
Add the ANTHROPIC_API_KEY secret
~2 minutes
This is what unlocks auto-fix PRs. Without this secret, CI still runs the gate — but no PR opens when something fails.
⚠ This is the step most people skip.
If you skip it, your CI will still detect bugs but won't open fix PRs. You'll see a yellow “auto-repair not configured” warning on every failing run.
- Open the secrets page for your repo or org:
https://github.com/<your-org>/<your-repo>/settings/secrets/actions
Or for the whole org at once:
github.com/organizations/<your-org>/settings/secrets/actions - Click New repository secret (or organization secret).
- Name:
ANTHROPIC_API_KEY - Value: your Anthropic API key. Get one at console.anthropic.com — pay-as-you-go, no minimum, a typical fix PR costs ~$0.02 in API spend.
- Save.
We never see or store your key — it goes from GitHub Secrets directly to Anthropic at fix-time. You're billed by Anthropic for the API usage, not by us.
Push a commit (deliberate or real)
~1 minute
On your next push or pull request, the workflow runs. If everything passes, the gate shows green and you move on. If it finds a fixable bug, Step 4 kicks in.
Want to see it work end-to-end? Add an obvious bug and push:
# Pick any JS/TS file in the repo, add a stray console.log + commit
echo 'console.log("debug");' >> src/some-file.js
git add -A && git commit -m "test: trigger gate" && git pushThe gate flags console.log in library code as error-severity. CI goes red. Auto-fix runs.
Watch the fix PR open
~1 minute
Within ~60 seconds of CI failing, a new pull request appears in your repo titled AI CI-fixer: repair workflow run #<id>. It contains:
- ✓The actual code fix —
console.logreplaced withprocess.stderr.write, or whatever was appropriate for the specific finding. - ✓A before/after scan summary in the PR body.
- ✓A regression test for the bug (so it can't silently come back).
- ✓On Scan + Fix and Forensic Scan tiers: a pair-review comment from a second Claude scoring the fix on 4 axes.
Review it like any other PR. Merge it if you're happy. Your gate stays red until either this PR merges or you fix it yourself.
Nothing happened on a failing run?
The workflow ran but no fix PR appeared.
Check the workflow output for a yellow “auto-repair not configured”warning. If you see it, Step 2 didn't land — the ANTHROPIC_API_KEYsecret isn't set on the repo (or org).
The workflow says “auto-repair could not generate any fixes.”
The fix engine ran but couldn't produce a verified patch. Common causes: file too large (> 50KB), config-level finding with no file:line to anchor a fix, or the finding wasn't a straightforward code change (architecture, dependency choice). Check the per-finding [skipped: …] lines in the workflow log for the reason.
CI passes but I want to see a fix PR anyway.
The gate only opens PRs when something fails. Try Step 3's “add a deliberate bug” trick — cheapest way to see the loop work end-to-end on a real repo.
I'm on GitLab/Jenkins/CircleCI, not GitHub.
The CLI works in any CI — npx gatetest --suite full from your pipeline runs the same 110 modules. Auto-fix PRs currently require the GitHub workflow path; CLI is scan-only.
You're live. What's next?
The free path covers most of what you need. Upgrade tiers if you want deeper analysis, pair-review, and cross-finding attack-chain correlation.