AI coding governance
Know what your AI agents
are shipping.
Define the rules once, check every PR, and keep signed proof for your team and auditors.
Apache 2.0 · SHA-256 signed evidence · No data leaves your machine · No credit card to start
How it works
The rules. The enforcement. The proof.
Three components. One workflow. Every PR is checked against rules your team wrote. Every result is signed.
Write the rules once
DevContracts are YAML files your team writes once. Security rules, dependency limits, licence policies, quality gates — all version-controlled alongside your code.
- 8 clause families
- Plain YAML — no proprietary DSL
- Works with any language or stack
Enforce at every PR
Gatekeep runs six analysis layers at the PR boundary — secret detection, dependency audit, SAST, IaC review, licence compliance, code quality. Findings in the PR comment. Critical findings block the merge.
- 6 parallel scan layers
- Findings posted as PR comment
- Critical findings block merge
Keep signed proof
Every Gatekeep run produces an evidence.json file: SHA-256 signed, timestamped, committed to your repo. Tamper-evident. Readable by auditors. Proof that the rules ran.
- SHA-256 signed per run
- Committed to your repo
- Audit-readable JSON
Getting started
Start anywhere. Grow from there.
ticketyboo is a trust ladder — each step adds more governance, more visibility, more proof. Start with a free repo scan. End with a governed estate.
Step 1
Scan a public repo
Free, no login. See the scanner in action — six layers, findings ranked by severity, shareable report link. Takes 30 seconds.
Step 2
Govern your team's PRs
Connect your repo. Write your first DevContract. Every PR gets checked automatically. Findings in the PR comment. Evidence committed to the repo.
Step 3
Scale across your estate
Add more repos. Use the estate view to see the health of every system at once. Track improvement over time. Compare before and after.
Who it's for
Pick your entry point.
Developer
Scan any public repo — free, no login. See what the scanner finds. Add governance to your own repos when you're ready.
Engineering leader
Govern your team's PRs. Every merge checked against your rules. Every result signed. Start free — no credit card required.
CTO / estate owner
Score your whole estate — code, infrastructure, identity, platforms. One view. Signed evidence. Latest to legacy.
See it in action
The same job. Twice. The difference is the contract.
Watch a governance run without a DevContract, then with one. Side-by-side gate results. Signed evidence output. This site is governed this way.
evidence.json — this site, last gate run
✓ Passed · 6 layers run · 0 critical findings · SHA-256: gk-2026…a1b2c3
The practice layer
Tools and articles from real work.
Interactive tools for technology strategy and AI delivery. Articles from the thinking behind the tooling. All open, all free.
Technology due diligence
Score nine technology domains for board, PE, or M&A diligence. Structured assessment, markdown export. Runs in the browser.
Cybersecurity maturity
Assess maturity across seven security domains. Identifies gaps. Export a structured report. No data leaves your machine.
Governance as code
Making compliance machine-readable, version-controlled, and enforceable. What it looks like in practice with Gatekeep.
Available
The methodology is available as an engagement.
Discovery, remediation planning, governed agentic builds with signed evidence output. I've led engineering teams at scale, built regulated platforms, and done large-scale M&A. ticketyboo.dev is the methodology in practice.