BETA · GateTest is in active polish ahead of public launch. Some flows are rough. Found a bug? hello@gatetest.ai — we're reading every message.
Trust & Security

What we do with your code, in plain English.

You're about to install a tool that reads every file in your repo. Here's exactly how that works, what we store, and what we don't.

We run GateTest on GateTest

Every commit to main runs the same 103-module gate we sell. The badge below is the live verdict, updated within seconds of every CI run. If we ship a regression, you see it before we do.

Our own gateAwaiting first scan
Awaiting first self-scan on the main branch

Polls our own /api/internal/self-scan-status every 60 seconds.

At a glance

  • Modules in the gate
    103
  • Tests passing on main
    4,100+
  • Auto-fix accuracy (Crontech dogfood)
    3/3 prod crashes caught
    100%
  • GitHub Marketplace
    week 1 of approval
    In review
  • SOC2 Type II
    not certified today — see roadmap below
    Audit Q3 2026

What happens to your code

The honest answer, scoped per install path. Pick the path that applies to you.

GitHub App (recommended)

What we do

  • We read the files in your repo via the GitHub API, scoped to the repositories you authorise during install.
  • We send relevant file contents to Anthropic's Claude API ONLY when you trigger auto-fix and only for the files the gate flagged.
  • We write findings to your repo's GitHub Security tab (SARIF) and post commit statuses on your PRs.
  • We open pull requests in your repo when auto-fix produces a verified patch. You review and merge — we never merge for you.

What we don't do

  • We DO NOT clone your repo to our servers. Files are read in-flight per scan.
  • We DO NOT store your source code at rest. Scan results are kept; raw code is not.
  • We DO NOT train any model on your code. Anthropic's API terms of service guarantee no training without opt-in.
  • We DO NOT have write access to anything except your auto-fix branches. We cannot push to main, change settings, or read other repos.

CLI in your CI (self-hosted)

What we do

  • We are an npm package that runs entirely inside your CI runner. Your code never leaves your network during the scan.
  • Auto-fix requires you to expose ANTHROPIC_API_KEY to the runner. Code sent to Anthropic stays subject to Anthropic's data policy — not ours.
  • Reporters emit findings to local files (.gatetest/reports/) which your CI uploads as artifacts. We have zero visibility unless you choose to publish them.

What we don't do

  • We have no telemetry. No usage metrics, no error reporting, no phone-home.
  • We have no licence server. The CLI runs offline forever, no kill-switch.
  • We do not require an account. You can run `npx gatetest` against any repo with zero signup.

Public URL scan (gatetest.ai / wp / web)

What we do

  • We fetch the public pages of the URL you supply, with the same User-Agent any browser would.
  • We store the URL, the timestamp, and the scan results (no auth, no cookies, no personal data) to power the trust badge and the recurring continuous-scan tier.
  • We charge Stripe ($29-$399) for the scan tier you select. Stripe holds the card data; we hold the session ID + tier.

What we don't do

  • We DO NOT scan content behind authentication. We never see your dashboard, your admin panel, or any logged-in state.
  • We DO NOT honeypot or probe destructively. Every request is a public GET — same as any web crawler.
  • We DO NOT sell or share scan data. The only outputs are your scan report and the public health badge on your URL (which you can disable).

Security posture

What we do today, and where we're going.

Encryption

Today

All API traffic over TLS 1.3. Stripe payment data never touches our servers (Stripe-hosted checkout). Anthropic API calls go directly from your CI to Anthropic — we are not in the middle.

Secrets handling

Today

We use the secrets module on our own code. Zero hardcoded credentials. Stripe + Anthropic keys live in Vercel environment variables, rotated quarterly.

No code storage at rest

Today

Per-scan: files read, scanned, results emitted. The raw source code is dropped after scan completion. We retain only the findings and timing metadata for the badge / report.

Audit trail

Today

Every scan emits a signed SARIF report. Every auto-fix PR links to the workflow run that produced it. You can reproduce any fix locally with node bin/gatetest.js --replay <run-id>.

SOC2 Type II

Roadmap

Audit kicks off Q3 2026. Until certified, do NOT install GateTest on repos that have a contractual SOC2 vendor requirement — use the self-hosted CLI path instead (zero data leaves your network).

HIPAA / PII handling

Roadmap

We are not currently a HIPAA business associate. Customers with PHI workloads should run the self-hosted CLI; the GitHub App path is not approved for PHI today.

Cross-customer fix learning — opt-in

We have a centralised fix-recipe store at gatetest.ai/api/recipes so successful fixes from one customer can speed up the same fix on every other customer's next scan. It is OFF by default.Here's exactly what enabling it means.

How to enable

In your workflow (or .gatetest.json):

- uses: crclabs-hq/gatetest@v1
  with:
    auto-fix: true
    share-learnings: true   # opt-in — see /trust

What WE store, anonymously

  • ✓ The module name (ssrf, secrets, etc.)
  • ✓ The finding type slug (tainted-url-to-fetch)
  • ✓ The file extension (ts, py)
  • ✓ Before/after code snippets, capped at 2KB each
  • ✓ SHA-256 hash of the before snippet (dedup key)
  • ✓ Confidence + usage count

What we NEVER store

  • × File paths or directory structure
  • × Repository names, URLs, or commit SHAs
  • × User identifiers, emails, or installation IDs
  • × Environment variables or secrets
  • × Source code outside the 2KB before/after snippet
  • × IP addresses (used only for in-memory rate limiting)

Private alternative: if you want the learning loop but don't want to share with the cross-customer pool, set recipe-store-url to your own HTTP endpoint that implements the GET / PUT /recipes contract. Your fixes never touch our servers.

Verify it yourself

We don't expect you to trust us. Every claim above maps to a public artifact:

The 103 modules
Run npx gatetest --list — the gate output is authoritative.
The 4,100+ tests
Clone the repo and run node --test tests/*.test.js — every file is in the open repo.
The auto-fix loop catches real bugs
See /quickstart for a deliberate-bug recipe that triggers the loop in under 5 minutes on any GitHub repo.
No third-party CVE in our dependencies
Our own gate runs the dependencies module on every commit. The CI badge above goes red the moment a new advisory lands on a transitive dep.
The pay-per-scan model
Stripe webhooks are the source of truth. We never bill without a successful scan. Refund policy: /legal/refunds.

Found a security issue?

Responsible disclosure to security@gatetest.ai. We acknowledge within 24 hours. PGP key available on request.

Privacy policyTerms of serviceTry it in 5 minutes →