Server data from the Official MCP Registry
120-module QA gate. Give Claude eyes (screenshots), ears (Sentry errors), and hands (verify fixes).
120-module QA gate. Give Claude eyes (screenshots), ears (Sentry errors), and hands (verify fixes).
Valid MCP server (2 strong, 1 medium validity signals). No known CVEs in dependencies. Imported from the Official MCP Registry.
9 files analyzed · No issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
From the project's GitHub README.
AI-powered code quality. Pay per scan via Stripe.
GateTest is a single CLI plus a composite GitHub Action that runs 110 static-analysis modules against any codebase, then uses Claude to repair the findings it can. It replaces SonarQube, Snyk, ESLint, Cypress, Lighthouse, axe, pa11y, and twenty-plus other tools with one config, one gate decision, and one report.
It is different because the cost trends to zero. Deterministic AST and rule-based layers run first — these are free and ship the fix in milliseconds. Claude only runs on patterns nothing else has seen. Every Claude win is distilled into a reusable recipe, so the next time the same pattern appears anywhere in the network it is handled for free. The longer you run GateTest, the less of it is paid work.
What you get depends on the tier. A pull request with the fixes, regression tests pinned to each fix, an architecture-shape critique, a cross-finding attack-chain analysis, and a CTO-readable executive summary — in whichever combination the tier you bought includes. One-time payment per scan via Stripe at checkout. No subscription, no auto-renew.
Drop this in .github/workflows/gatetest.yml:
name: GateTest Quality Gate
on: [push, pull_request]
jobs:
gate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: crclabs-hq/GateTest@v1.1.1
with:
suite: full
auto-fix: ${{ github.event_name == 'pull_request' }}
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
The action is a composite — no Docker pull, no container build. It installs GateTest, runs the gate, and if auto-fix: true and ANTHROPIC_API_KEY is set, runs the AI repair loop on a blocking gate. See action.yml for every input.
# Run against the current directory, no install:
npx github:crclabs-hq/GateTest --suite quick
# Or clone and run from source:
git clone https://github.com/crclabs-hq/GateTest
cd gatetest && npm install
node bin/gatetest.js --suite quick
Install:
npm install -g @gatetest/cli
Run the full pre-merge sweep locally in one command:
npm run sweep # ~30-60s — tests + build + gate + secrets + self-scan
This runs the same seven checks that block a merge in CI. Verdict is green or red. Exit code is 0 or 1, matching CI exactly.
Fast path during iteration:
npm run sweep -- --fast # skip tests + build, gate-only, ~3-5s
See gatetest sweep --help for every flag.
Connect GateTest directly to Claude Code (or any MCP-compatible AI) in one command:
claude mcp add gatetest -- npx -y @gatetest/mcp-server
18 tools across four families:
| Family | Tools | What it gives Claude |
|---|---|---|
| Engine | scan_local, run_module, fix_issue, verify_fix, … | Scan + fix local code |
| 👁 Eyes | capture_screenshot, get_visual_diff | See the rendered page as a real image |
| 👂 Ears | get_production_errors, run_live_checks | Hear Sentry/Datadog/Rollbar errors + localhost runtime failures |
| 🤝 Hands | verify_fix | Hard ✅/❌ — prove the fix actually worked |
Works with Claude Code, Cursor, Windsurf, Continue, and Cline. See packages/mcp-server/ for the full tool reference and example prompts.
Visit gatetest.ai/web and paste any URL. You get a free preview and a paid full report. For WordPress sites use gatetest.ai/wp.
Reproduce any failing GitHub Actions run on your laptop in seconds:
gatetest replay https://github.com/owner/repo/actions/runs/12345
This fetches the run, identifies which steps failed, and runs them locally against your current working tree. Output tells you whether the failure reproduces, doesn't reproduce (flaky CI), or hits a different error.
Authentication is optional — if you have a GITHUB_TOKEN set or gh CLI
installed, replay can read private repo runs. Otherwise it uses the
unauthenticated rate limit (60 req/hour, fine for a few replays).
┌──────────────────────────┐
CI BREAKS │ Failed workflow run │
──> └────────────┬─────────────┘
│
┌────────────▼─────────────┐
│ AI CI-fixer reads logs │
│ + failing files │
└────────────┬─────────────┘
│
┌──────────────┼──────────────┐
│ │ │
▼ ▼ ▼
┌────────┐ ┌────────┐ ┌────────┐
│ AST │ → │ Rule │ → │ Recipe │ ─── ALL FREE ───
└────┬───┘ └────┬───┘ └────┬───┘
│ │ │ (none matched?)
└─────────────┴─────────────┘
│
▼
┌──────────────────────────┐
│ Claude — paid, one shot │
│ Result distilled into a │
│ recipe for next time │
└────────────┬─────────────┘
│
▼
┌──────────────────────────┐
│ PR opens with the fix │
│ + regression test │
└──────────────────────────┘
First time we see a pattern: Claude. Every time after: free. The longer you run GateTest, the cheaper it gets.
One config, one bill, one gate decision. Twelve-plus tools dissolve into single CLI flags.
| Their tool | GateTest module |
|---|---|
| Snyk Code, Dependabot, npm audit | security, dependencies |
| SonarQube | codeQuality + every other module |
| ESLint, Stylelint | lint |
| Cypress, BrowserStack, Sauce Labs | e2e |
| Lighthouse | performance |
| axe, pa11y | accessibility |
| Percy, Chromatic | visual |
| git-secrets, TruffleHog | secrets, secretRotation |
| hadolint, dockle | dockerfile |
| actionlint, zizmor, StepSecurity | ciSecurity |
| tfsec, Checkov, Terrascan | terraform |
| kube-score, kubeaudit, Polaris | kubernetes |
| Stryker, Pitest | mutation |
| broken-link-checker | links |
| (none — fragmented across ESLint rules) | errorSwallow, nPlusOne, flakyTests |
| (none — no static tool exists) | redos, moneyFloat, logPii, tlsSecurity |
| (none — runtime profilers only) | resourceLeak, raceCondition, retryHygiene |
Twelve-plus tools. One config. One bill. Full module catalogue: run node bin/gatetest.js --list or read it on gatetest.ai.
One-time payment per scan via Stripe at checkout. No subscription, no auto-renew. Refunds only at our discretion for scans that failed to start or crashed mid-way without producing a report (contact hello@gatetest.ai).
| Tier | Price | What you get |
|---|---|---|
| Quick Scan | $29 | 4 modules — syntax, linting, secrets, code quality. Fastest path to a first signal. Scan-only — no auto-fix. |
| Full Scan | $99 | All 110 modules. SARIF + JUnit reports. Scan-only — auto-fix ships at the Scan + Fix tier. |
| Scan + Fix | $199 | Everything in Full, plus a second-Claude pair-review critique on every fix and an architecture-shape design-observations report. |
| Forensic Scan | $399 | Everything in Scan + Fix, plus real Claude diagnosis on every finding, cross-finding attack-chain correlation, board-ready CISO report (OWASP / SOC2 / CIS v8 / 30-60-90), and a CTO-readable executive summary. Mutation testing and chaos / fuzz pass are also available via the GitHub Action (mutation: true / chaos: true) — they need a CI runner to execute your test suite and a headless browser, so they ship with the Action rather than the website-only scan. |
Live prices and Stripe checkout at gatetest.ai.
GateTest is not magic. The things it does not yet do, said out loud:
liveCrawler, runtimeErrors, explorer, chaos) degrade gracefully on Vercel serverless. Chromium cannot launch inside the function. The modules emit an info-level skip and the rest of the scan continues — full power requires the CLI, a worker, or local dev.installation_id is not persisted across GitHub App installs. Multi-org customers cannot yet be correlated to a single billing account; this is tracked as Known Issue #22 in CLAUDE.md.The full Known Issues table (with severity and status) lives in CLAUDE.md — that file is the project's source of truth.
Static engine. 110 modules, every one extending BaseModule. Each module is a self-contained scanner that emits checks at three severity levels (error blocks the gate, warning reports, info is informational). The runner is EventEmitter-based, supports parallel execution, diff-mode (--diff scans only git-changed files), watch mode, and five output formats (Console, JSON, HTML, SARIF for the GitHub Security tab, JUnit XML for any CI). The gate has zero runtime dependencies aside from one MCP SDK pin — node bin/gatetest.js --list runs anywhere Node 20+ runs.
Website and payments. gatetest.ai is Next.js 16 with the App Router, Tailwind 4, and Stripe in per-scan upfront-charge mode. One-time payment per scan at checkout — no subscription, no auto-renew, no hold-then-capture flow. All scan state is persisted in Stripe metadata so the serverless functions stay stateless across requests — there is no shared in-memory state and no webhook is required for the critical user flow. The scan executes inside the function response and reports back directly.
AI layer. Claude (Anthropic). On the GitHub Action the customer brings their own ANTHROPIC_API_KEY and pays Anthropic directly. On the website the key is managed and the cost is folded into the tier price. Every Claude success is distilled into a recipe by the flywheel orchestrator (see lib/ and the AI CI-fixer at scripts/ai-ci-fixer.js) so subsequent runs on the same pattern are deterministic and free.
The codebase ships under MIT, the gate runs locally with no external calls, and every architectural decision is documented inline in CLAUDE.md.
GateTest is dogfooded against itself on every push, and the team runs the full Forensic pipeline against external production codebases before shipping changes that touch the deeper tiers. The reports below are reproducible artifacts in this repo:
src/runtime/alerts.js, 8.5 seconds wall time, syntax gate green: docs/proofs/phase-1-self-fix-real.mdgit clone https://github.com/crclabs-hq/GateTest
cd gatetest
npm install
(cd website && npm install)
node --test tests/*.test.js
node bin/gatetest.js --list
The Bible — CLAUDE.md — is required reading for contributors. It defines the architecture, the quality bar, the forbidden list, the protected platforms, and the authorization rules that apply to anything touching money, user data, or public-facing communication.
Bug reports and feature requests are welcome via GitHub Issues. Small PRs that fix one thing and add a test are merged fastest. The pre-commit and pre-push hooks under src/hooks/ run the gate locally — running them before pushing keeps CI green.
MIT — see LICENSE.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.