Use case

Block pull requests on security findings

Stop a PR from merging when a scan finds a vulnerability

Run GateTest as a required status check on every pull request so any error-severity finding — a leaked secret, an injection, a vulnerable dependency — fails the check and blocks the merge until it's fixed.

The problem

Code review catches design problems, but humans are unreliable at spotting a hardcoded key or a tainted SQL string buried in a 400-line diff at the end of the day. Without an automated gate, whether a vulnerability merges depends on whether a reviewer happened to notice.

The fix is to make 'no new criticals' a precondition of merging, applied identically to every pull request, with the same rigor at 9am on Monday and 6pm on Friday.

How GateTest does it

Add GateTest as a GitHub Action that runs on `pull_request`. It scans the changed code, and any error-severity finding fails the job.

Mark the GateTest check as a required status check in branch protection. Now GitHub itself refuses to merge until the check is green — there's no override short of an admin.

.github/workflows/gatetest.yml
# .github/workflows/gatetest.yml
name: GateTest
on:
  pull_request:
jobs:
  gate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: crclabs-hq/gatetest-action@v1
        with:
          suite: full
          # error-severity findings fail the job and block the merge
          fail-on: error

Steps

  1. 1Add the GateTest workflow to .github/workflows/.
  2. 2Open Settings → Branches → branch protection for your default branch.
  3. 3Enable 'Require status checks to pass before merging' and select the GateTest check.
  4. 4On the Scan + Fix tier, let GateTest open an auto-fix PR so the gate can go green without manual work.

Frequently asked questions

How do I make GateTest a required check?

Add GateTest as a GitHub Action on pull_request, then enable branch protection on your default branch and select the GateTest check under 'Require status checks to pass before merging'. GitHub then blocks the merge until the check passes.

What severity blocks the merge?

Only error-severity findings fail the job by default. Warnings and info surface in the output without blocking, so the gate stops real problems without becoming noise developers route around.

Put this gate on your repo

Free preview of findings. Pay per scan — no subscription. AI auto-fix PR on the Scan + Fix tier.

Related use cases