Gatekeep
Gatekeep is the detective layer of ticketyboo. It takes the findings produced by a scan, evaluates them against the gates defined in your devcontract.json, and returns a structured verdict. Gatekeep does not analyse code; it evaluates evidence.
What Gatekeep does
When a scan completes, Gatekeep:
- Reads
devcontract.jsonfrom the repository root. - For each gate in the contract, counts findings that match the gate's category and severity.
- Compares the count against the gate's threshold.
- Returns a verdict:
passed,passed_with_warnings, orfailed.
The verdict and a breakdown of each gate's result are included in the scan report JSON, which is retrievable from GET /api/scan/{id}/report.
The three roles: preventative, detective, productive
ticketyboo is structured around three roles that work together:
| Role | Component | When it runs | What it does |
|---|---|---|---|
| Preventative | Contracts (devcontract.json) |
Before work begins | Defines the standards the service must meet |
| Detective | Gatekeep | After each scan | Measures the service against those standards |
| Productive | ticketyboo-gate extension | During development | Surfaces the Contract in the IDE before a scan is needed |
Gatekeep is useful only when a Contract exists. Without a devcontract.json, scans still produce findings, but there is no standard to evaluate them against.
Scan types and Gatekeep
Gatekeep evaluates whatever findings the scan produced. Shallow scans cover five categories; deep scans cover all nine. Gates targeting deep-only categories (secret, sast, iac, license, code_quality) will see no findings on a shallow scan and will pass by default.
For gates where a false pass on a shallow scan would be unacceptable, add a note in the gate's description to indicate that deep scan is required, and enforce deep scanning in your CI pipeline.