SecGate — A single-command security gate for CI/CD

One command. Four artifacts.

SecGate runs whatever scanners are on your $PATH and produces this — every finding traces to a named tool.

One JSON report

Normalized findings across every scanner, with a deterministic 0–100 security score for CI dashboards.

One HTML report

Per-scanner tabs, dark mode, zero external assets — a single self-contained file.

One SARIF file

SARIF 2.1.0, ready to upload straight to GitHub Code Scanning.

One exit code

1 on CRITICAL or HIGH findings — blocks the pipeline. No babysitting.

98% of the noise, demoted

The wrapped scanners are each noisy in isolation — industry estimate puts ~70% of raw SAST/SCA output at signal-less. SecGate's job is to surface what's actionable and demote the rest. Dogfooded against a 2,628-file production codebase:

1,858

raw findings

actionable findings

98%

noise demoted

Findings are never dropped — demotion is presentation-only and the exit code is unchanged. The default curated profile collapses known-noisy patterns (license rows, base-image LOW/MED CVEs, 5-year-old non-critical CVEs) into an Informational block. Run --profile strict for a full audit view.

Security Score

Every run produces a deterministic 0–100 score alongside the binary gate. Sample below.

62/ 100 · rule v1 Mixed

Semgrep97

Gitleaks75

npm audit90

osv-scanner100

Trivy62

Penalty per finding: CRITICAL −25 · HIGH −10 · MEDIUM −3 · LOW −1. Thresholds: green ≥ 90, amber ≥ 70, red < 70. The binary gate (exit 1 on CRITICAL/HIGH) is independent — the score is for trend tracking.

The five scanners

Missing binaries are skipped gracefully and noted in the report. No scanner is required.

Scanner	Category	Network
Semgrep	SAST — static code, 10+ languages, OSS ruleset	Local
Gitleaks	Secrets — working tree + git history, redacted	Local
npm audit	SCA — Node dependency tree	Network
osv-scanner	Polyglot SCA — npm, PyPI, Go, Cargo, Maven, more	Network
Trivy	IaC + license + base-image CVEs	Network

SecGate itself makes no network calls — no telemetry, no phone-home. But three of the five wrapped scanners query advisory databases to do their job. "No telemetry" is exact; "fully air-gapped" is not — run offline and the network scanners degrade or skip, which SecGate reports.

What SecGate is — and isn't

SecGate is a CI gate, not a SOC platform, a compliance tool, or a vulnerability-management system.

It is zero-config orchestration. Five industry-standard scanners, one command, one normalized report, one exit code. MIT.
It is local-output-only. The report lands as files on your disk. No account, no dashboard, no hosted state.
It is honest about noise. The curated profile demotes — it never deletes. Suppressed findings get their own audited block with per-rule counts.
It is not a defect oracle. Every finding originates from one of the five underlying tools — SecGate ships no analysis engine of its own.
It is not SaaS-grade triage. Need a managed vuln DB, Jira sync, or compliance workflow? Buy Snyk or Aikido — SecGate's niche is the gate.

Drop it into CI

Exit 1 on CRITICAL or HIGH findings blocks the pipeline. One line:

# .github/workflows/secgate.yml
- name: Run SecGate
  run: npx @stelnyx/secgate .
  # exits 1 on CRITICAL or HIGH findings — blocks the pipeline

A composite GitHub Action is published at Stelnyx/SecGate/.github/actions/secgate@main — emits JSON, HTML and SARIF, and exposes a sarif-path output for direct upload to Code Scanning. Adopt on a legacy repo with the baseline workflow: --update-baseline once, then --baseline fails only on net-new findings.

Common questions

Does my code leave my machine?: SecGate itself makes no network calls and writes the report locally. But npm audit, osv-scanner and Trivy query advisory databases — they send dependency manifests / image coordinates, not your source. Air-gapped CI runs SecGate fine; those three scanners degrade or skip and SecGate reports it.
Is it deterministic?: Yes. Same findings produce JSON-byte-identical output, score and gate status every run. Two test suites lock the contract — determinism.mjs and an 11-finding golden-secgate.mjs fixture.
What do I need installed?: Node ≥ 18. The external scanners are optional — install only the ones you want (brew install semgrep gitleaks osv-scanner trivy). Missing binaries are skipped and noted.
Will it overwhelm me with findings on a legacy repo?: No. The curated profile demotes ~98% of scanner noise to a collapsed Informational block, and the baseline workflow lets you accept the current state and fail only on net-new findings.
What does it cost?: Nothing. MIT licensed, published on npm with provenance. npx @stelnyx/secgate . and you're done.

Gate your pipeline now

No install, no signup, no config required. Point it at a directory.

$ npx @stelnyx/secgate .

View on npm Star on GitHub