Skip to content

Enforcement

Enforce engineering standards
at PR review time.

Gatekeep checks every pull request against your active DevContracts. Six analysis layers run in parallel. Findings are posted as PR comments. PRs that fail critical gates do not merge. Every run produces a signed evidence file.

Start free → Get the extension

How it works

Contracts define the gates.
Gatekeep enforces them.

The workflow is the same for every PR. No manual configuration per repository. The Contract specifies the rules. Gatekeep applies them consistently.

Step 01

PR is raised

A pull request is opened against a repository with an active ticketyboo Contract. Gatekeep receives the webhook from the GitHub App and begins the scan. No manual trigger required.

Step 02

Six layers run

All six analysis layers run in parallel: secret detection, dependency audit, SAST, IaC review, licence compliance, code quality. Each layer is deterministic. The same inputs produce the same outputs on every run.

Step 03

Findings posted, evidence signed

Findings are posted as a structured PR comment, grouped by severity. Critical findings block the merge. An evidence.json file is produced: SHA-256 signed, timestamped, stored in S3. The audit record exists independently of the PR itself.

Scan layers

Six layers. All deterministic.

Each layer is an independent analysis module. Layers run in parallel and their findings are aggregated into a single report. Severity is classified per finding: critical, high, medium, low, info.

Secret detection

Regex patterns match AWS access keys, private keys, database URLs, API tokens, OAuth secrets, and JWT tokens. Shannon entropy analysis flags high-entropy variable assignments. Placeholder values are suppressed to reduce false positives. Matched values are redacted in output.

AWS keys private keys DB URLs entropy scoring

Dependency audit

Parses manifest files across Python (requirements.txt, Pipfile, pyproject.toml), Node (package.json, package-lock.json), Go (go.mod, go.sum), and Ruby (Gemfile). Cross-references the GitHub Security Advisory Database for known CVEs. Flags unpinned dependencies as supply chain risk.

CVE lookup unpinned deps 5 ecosystems

SAST

AST-based analysis for Python files: command injection (subprocess shell=True), SQL injection (string-formatted queries), insecure deserialization (pickle.loads, unsafe yaml.load, eval), path traversal (open with variable path), and weak cryptography (MD5, SHA1). Regex-based analysis for JavaScript, Go, and Ruby.

command injection SQL injection XSS weak crypto

IaC review

Terraform: parses HCL2 and checks S3 buckets for missing encryption and public ACLs, security groups for 0.0.0.0/0 ingress, IAM policy documents for wildcard actions, RDS instances for missing storage encryption. CloudFormation: structural detection, then checks S3 public access blocks and EC2 security group ingress rules.

Terraform CloudFormation S3 / SG / IAM / RDS

Licence compliance

Detects license files by filename (LICENSE, LICENCE, COPYING variants). Classifies against known SPDX identifiers including MIT, Apache-2.0, GPL-2.0/3.0, AGPL-3.0, MPL-2.0, BSD variants. Flags copyleft licenses in commercial repositories. Cross-references package.json license field for consistency.

SPDX classification copyleft detection package.json check

Code quality

Python AST analysis across up to 50 files per repository. Cyclomatic complexity per function (threshold: 15). Long function detection (threshold: 100 lines). Long file detection (threshold: 500 lines). Type hint coverage below 50 percent. TODO, FIXME, HACK, and XXX marker density above threshold.

complexity type hints TODO density
Try the scanner free →

Evidence output

Signed per run. Machine-readable.

Every Gatekeep run produces a structured evidence.json file. SHA-256 signed, timestamped, stored in S3. The evidence file can be committed to the repository, attached to a ticket, or forwarded to an auditor. It is the compliance artefact, not a dashboard screenshot.

evidence.json — example output

{ "scan_id": "a3f8c2d1-1234-5678-abcd-ef9012345678", "repo_url": "https://github.com/org/repo", "status": "complete", "finding_count": 3, "findings": [ { "category": "secret", "severity": "critical", "title": "Hardcoded AWS Access Key", "file_path": "config/settings.py", "line_number": 47 } ], "sha256": "a3f8c2d1e9b74056...", "created_at": "2026-03-28T19:51:20Z" }

SHA-256 signature verifies the evidence file has not been modified after the scan completed. Findings include file path and line number where available. Remediation guidance is included per finding.

Get started

Three steps to your first
governed PR.

Gatekeep does not require infrastructure changes. Install the extension, define a Contract, and the GitHub App handles the rest.

01

Install tickety-ai

Install the VS Code extension from Open VSX. Create a free account. You get 5 one-time welcome runs to try the full platform. No card required.

02

Define your first Contract

A Contract is a configuration file in your repository. Specify which scan layers are active, which severity thresholds block a merge, and which compliance pack applies. Start with the defaults and refine from there.

03

Scan your repository

Use the free scanner at ticketyboo.dev/scan/ to run all six layers against any public repository, with no account needed. Or connect the GitHub App to run Gatekeep on every PR automatically.

Install the extension → Try the free scanner See pricing

© 2026 ticketyboo.dev · Apache 2.0