Gate on vulnerable and risky dependencies
Block builds that pull in vulnerable or unpinned packages
GateTest inventories your dependencies across ten ecosystems and fails the gate on known-vulnerable packages, wildcard or unpinned versions, missing lockfiles, and abandoned dependencies — the supply-chain layer your own code never touches.
The problem
Most of your attack surface is third-party code you didn't write and rarely read. A transitively-pulled package with a fresh CVE, a wildcard pin that lets a malicious update slip in, a dependency abandoned two years ago — none of these show up in a review of your own diff.
Gating the supply chain means evaluating the dependency graph itself, on every change to a lockfile and on a schedule, because a clean dependency today can have a CVE disclosed tomorrow.
How GateTest does it
GateTest's dependencies module resolves manifests across npm, pip, Pipenv, Poetry, go.mod, Cargo, Bundler, Composer, Maven, and Gradle, and flags wildcards, `latest` pins, missing lockfiles, deprecated packages, and git-without-rev specifiers.
The CVE-feed module maps vulnerable packages to concrete version-bump fixes, so the auto-fix PR can raise the pin to a safe release rather than just reporting the problem.
# .github/workflows/gatetest.yml
name: GateTest
on:
pull_request:
jobs:
gate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: crclabs-hq/gatetest-action@v1
with:
suite: full
# error-severity findings fail the job and block the merge
fail-on: errorSteps
- 1Run GateTest with the dependencies and CVE-feed modules (included in the full suite).
- 2Fail the gate on error-severity dependency findings.
- 3On Scan + Fix, accept the version-bump PR GateTest opens.
- 4Schedule a periodic re-scan to catch newly-disclosed CVEs.
Frequently asked questions
Which ecosystems does GateTest cover?
The dependencies module is polyglot: npm, pip, Pipenv, Poetry, go.mod, Cargo, Bundler, Composer, Maven, and Gradle. It runs with zero network calls against your manifests and lockfiles.
Can it fix a vulnerable dependency automatically?
On the Scan + Fix tier, yes. The CVE-feed module maps a vulnerable package to a safe version, and the auto-fix PR raises the pin in package.json / requirements.txt / Cargo.toml accordingly.
Put this gate on your repo
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR on the Scan + Fix tier.