Use case

Gate on vulnerable and risky dependencies

Block builds that pull in vulnerable or unpinned packages

GateTest inventories your dependencies across ten ecosystems and fails the gate on known-vulnerable packages, wildcard or unpinned versions, missing lockfiles, and abandoned dependencies — the supply-chain layer your own code never touches.

The problem

Most of your attack surface is third-party code you didn't write and rarely read. A transitively-pulled package with a fresh CVE, a wildcard pin that lets a malicious update slip in, a dependency abandoned two years ago — none of these show up in a review of your own diff.

Gating the supply chain means evaluating the dependency graph itself, on every change to a lockfile and on a schedule, because a clean dependency today can have a CVE disclosed tomorrow.

How GateTest does it

GateTest's dependencies module resolves manifests across npm, pip, Pipenv, Poetry, go.mod, Cargo, Bundler, Composer, Maven, and Gradle, and flags wildcards, `latest` pins, missing lockfiles, deprecated packages, and git-without-rev specifiers.

The CVE-feed module maps vulnerable packages to concrete version-bump fixes, so the auto-fix PR can raise the pin to a safe release rather than just reporting the problem.

.github/workflows/gatetest.yml
# .github/workflows/gatetest.yml
name: GateTest
on:
  pull_request:
jobs:
  gate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: crclabs-hq/gatetest-action@v1
        with:
          suite: full
          # error-severity findings fail the job and block the merge
          fail-on: error

Steps

  1. 1Run GateTest with the dependencies and CVE-feed modules (included in the full suite).
  2. 2Fail the gate on error-severity dependency findings.
  3. 3On Scan + Fix, accept the version-bump PR GateTest opens.
  4. 4Schedule a periodic re-scan to catch newly-disclosed CVEs.

Frequently asked questions

Which ecosystems does GateTest cover?

The dependencies module is polyglot: npm, pip, Pipenv, Poetry, go.mod, Cargo, Bundler, Composer, Maven, and Gradle. It runs with zero network calls against your manifests and lockfiles.

Can it fix a vulnerable dependency automatically?

On the Scan + Fix tier, yes. The CVE-feed module maps a vulnerable package to a safe version, and the auto-fix PR raises the pin in package.json / requirements.txt / Cargo.toml accordingly.

Put this gate on your repo

Free preview of findings. Pay per scan — no subscription. AI auto-fix PR on the Scan + Fix tier.

Related use cases