Real scans. Real findings. No demo data.

Hall of Scans

Every result on this page came from running GateTest against a real public codebase. No fabricated numbers. No cherry-picked examples. This is what 120 modules actually find.

🔒 Scans run in memory — code is never stored. Findings published with platform owner consent.

1,564
Total issues found
9
Critical chains
4
Repos scanned
47
Fixes auto-PRed
GateTest — self-scan (this product's own repo)
Forensic ($399)·2026-04-26·30/39 modules passed
37
Errors
328
Warnings

GateTest ran on itself. We found 37 real errors — all fixed before shipping. The CI continue-on-error violation was caught by the ciSecurity module dog-fooding its own rule.

Top Findings

ERROR
ciSecuritycontinue-on-error: true on GateTest's own gate step — Bible Forbidden #24
ERROR
secretsStale credential-shaped strings in test fixtures (>90 days)
ERROR
errorSwallowEmpty catch blocks swallowing DB connection errors silently
WARN
typescript-strictnessskipLibCheck: true in tsconfig.json — hides type-contract violations

Cross-Finding Attack Chains

CRITICAL
Session-forgery vector
Weak session secret + httpOnly:false cookie + missing CSRF validation → attacker can forge authenticated sessions from XSS
HIGH
CI supply-chain exposure
Unpinned GitHub Actions + GITHUB_TOKEN with write permissions + shell injection via event inputs → workflow hijack
Vapron — production scheduling platform (dogfood)
Forensic ($399)·2026-04-26·23/39 modules passed
754
Errors
891
Warnings

754 errors across a production scheduling platform. Two critical attack chains, both requiring less than 30 minutes to exploit. The supply-chain chain is the one that makes security engineers go quiet.

Top Findings

CRITICAL
ciSecurityUnpinned GitHub Actions + write-permission GITHUB_TOKEN + shell injection from PR title event input
CRITICAL
secretsAPI key baked into Docker layer — visible in docker history
ERROR
ssrfUser-supplied webhook URL passed directly to fetch() without hostname validation
ERROR
cookieSecuritySession cookie secret is a known-weak placeholder — cookie theft risk
ERROR
tlsSecurityNODE_TLS_REJECT_UNAUTHORIZED=0 set globally in server bootstrap

Cross-Finding Attack Chains

CRITICAL
Supply-chain CI takeover
Unpinned action + write GITHUB_TOKEN + shell injection from PR title → attacker opens PR with crafted title, action runs shell with write access to the repo
CRITICAL
Client-bundle secret exposure
NEXT_PUBLIC_ prefixed API key + baked into Docker layer + no rotation detector → key is in the browser bundle AND in docker history, double-exposure
Gluecron.com — workflow automation platform (dogfood)
Forensic ($399)·2026-04-26·26/39 modules passed
649
Errors
743
Warnings

The clevgest chain of this batch: hardcoded secret + missing from .env.example. Neither finding alone is alarming. Together they mean you cannot rotate the secret even if you wanted to — the rotation attempt itself would break production.

Top Findings

CRITICAL
secretsHardcoded API key in workflow file AND missing from .env.example — rotation is structurally impossible
ERROR
asyncIterationforEach(async ...) in webhook handler — errors swallowed, events processed out of order
ERROR
moneyFloatparseFloat() on billing amounts — sub-cent drift accumulates across high-volume cron runs
ERROR
raceConditionfindOne → insert pattern on job table with no transaction or ON CONFLICT guard — duplicate-job race

Cross-Finding Attack Chains

CRITICAL
Secret rotation is structurally impossible
Hardcoded WORKFLOW_SECRETS_KEY in CI + missing from .env.example → the env contract doesn't even know the key exists → any rotation attempt breaks CI silently
HIGH
Billing drift + duplicate job race
parseFloat on cron billing amounts + duplicate-job race on insert → a race creates two billing events, both use float arithmetic → double-charge with rounding error
public legal-tech platform
Forensic ($399)·2026-04-26·31/39 modules passed
124
Errors
267
Warnings

The correlator returned 0 chains on this repo — findings were genuinely independent. We didn't pad. But the money-float finding in a legal-tech trust-account handler is, in isolation, a textbook fintech bug that regulators call fraud when it accumulates at scale.

Top Findings

CRITICAL
moneyFloatparseFloat() on trust-account transaction amounts in TrustActions.tsx — a legal-tech product handling client trust money
ERROR
errorSwallowMultiple .catch(() => {}) on payment promise chains — failed payments silently succeed from the caller's perspective
ERROR
logPiiconsole.log(req.body) in auth endpoint — logs contain SSN and bank routing numbers from form submissions
WARN
raceConditionfindOne → update race on trust-account balance with no transaction guard

Cross-finding correlation: 0 chains identified. Findings were genuinely independent — the correlator does not pad results.

See what's in your repo

Free preview scan — no card required. Quick suite: syntax, lint, secrets, code quality. Runs in under 30 seconds on any public repo.