Contract examples
Complete devcontract.json files for common service types. Each example is based on real gate categories and thresholds. Copy one as a starting point and adjust for your codebase.
Minimal security-only contract
Suitable for an early-stage service that wants to block on critical and high security findings only. Uses deep scan gates (secret detection, SAST, IaC).
{
"service_name": "my-api",
"version": "1.0.0",
"description": "Block on critical security findings only",
"gates": [
{
"category": "secret",
"severity": "critical",
"threshold": 0,
"blocking": true,
"description": "No hardcoded secrets"
},
{
"category": "sast",
"severity": "critical",
"threshold": 0,
"blocking": true,
"description": "No critical code vulnerabilities"
}
]
}The secret and sast categories are only populated during a deep scan. A shallow scan will skip these gates.
Python Lambda service
A production Lambda function handling user data. Blocks on any security or secret finding; warns on quality and governance issues.
{
"service_name": "user-data-processor",
"version": "1.0.0",
"description": "Python Lambda handling PII — strict security gates",
"gates": [
{
"category": "secret",
"severity": "high",
"threshold": 0,
"blocking": true,
"description": "No secrets at high or critical severity"
},
{
"category": "sast",
"severity": "high",
"threshold": 0,
"blocking": true,
"description": "No high or critical code vulnerabilities"
},
{
"category": "iac",
"severity": "high",
"threshold": 0,
"blocking": true,
"description": "No high or critical IaC misconfigurations"
},
{
"category": "dependency",
"severity": "high",
"threshold": 0,
"blocking": true,
"description": "No known high or critical CVEs"
},
{
"category": "license",
"severity": "high",
"threshold": 0,
"blocking": true,
"description": "No copyleft dependencies"
},
{
"category": "governance",
"severity": "medium",
"threshold": 0,
"blocking": false,
"description": "README, CI, and tests expected but non-blocking"
},
{
"category": "code_quality",
"severity": "medium",
"threshold": 5,
"blocking": false,
"description": "Quality warnings tolerated up to 5"
}
]
}Frontend JavaScript application
A React or plain JavaScript app. Focuses on dependency vulnerabilities (npm ecosystem) and governance. No IaC gates since the service has no Terraform.
{
"service_name": "marketing-frontend",
"version": "1.0.0",
"description": "Static JS app — dependency and governance gates",
"gates": [
{
"category": "dependency",
"severity": "critical",
"threshold": 0,
"blocking": true,
"description": "Block on critical npm CVEs"
},
{
"category": "dependency",
"severity": "high",
"threshold": 2,
"blocking": true,
"description": "Tolerate at most 2 high CVEs before blocking"
},
{
"category": "secret",
"severity": "high",
"threshold": 0,
"blocking": true,
"description": "No API keys or tokens in source"
},
{
"category": "governance",
"severity": "medium",
"threshold": 0,
"blocking": false,
"description": "Governance checks informational"
}
]
}Infrastructure-as-Code repository
A Terraform monorepo. The IaC gate is the primary concern; SAST and secret gates catch any embedded scripts or configuration values.
{
"service_name": "platform-infra",
"version": "1.0.0",
"description": "Terraform monorepo — IaC security is primary gate",
"gates": [
{
"category": "iac",
"severity": "critical",
"threshold": 0,
"blocking": true,
"description": "No critical IaC misconfigurations (public S3, wildcard IAM)"
},
{
"category": "iac",
"severity": "high",
"threshold": 0,
"blocking": true,
"description": "No high IaC misconfigurations"
},
{
"category": "secret",
"severity": "critical",
"threshold": 0,
"blocking": true,
"description": "No secrets or credentials in Terraform files"
}
]
}Open source library
A library published under MIT or Apache-2.0. License gate is critical to verify the library's own dependencies are compatible with open source distribution.
{
"service_name": "my-oss-library",
"version": "1.0.0",
"description": "OSS library — license and security gates",
"gates": [
{
"category": "license",
"severity": "high",
"threshold": 0,
"blocking": true,
"description": "No GPL/AGPL dependencies that would affect OSS distribution"
},
{
"category": "dependency",
"severity": "high",
"threshold": 0,
"blocking": true,
"description": "No high or critical CVEs in published library"
},
{
"category": "governance",
"severity": "medium",
"threshold": 0,
"blocking": true,
"description": "README, CI, and tests required for published library"
},
{
"category": "code_quality",
"severity": "medium",
"threshold": 3,
"blocking": false,
"description": "Code quality informational"
}
]
}Legacy service under remediation
An older service with known tech debt. Strict on new critical findings; permissive thresholds on existing quality issues while the team remediates.
{
"service_name": "legacy-billing",
"version": "1.0.0",
"description": "Legacy billing service — strict security, permissive quality during Q3 remediation",
"gates": [
{
"category": "secret",
"severity": "critical",
"threshold": 0,
"blocking": true,
"description": "Secrets are never acceptable"
},
{
"category": "sast",
"severity": "critical",
"threshold": 0,
"blocking": true,
"description": "Critical code vulnerabilities must be fixed"
},
{
"category": "dependency",
"severity": "critical",
"threshold": 0,
"blocking": true,
"description": "Critical CVEs must be patched"
},
{
"category": "code_quality",
"severity": "medium",
"threshold": 25,
"blocking": false,
"description": "Ratchet: 25 now, target 0 by end of Q3. Update before reducing."
},
{
"category": "governance",
"severity": "medium",
"threshold": 2,
"blocking": false,
"description": "Some governance gaps expected; non-blocking for now"
}
]
}Minimal governance-only contract
A lightweight contract for teams that are not yet running deep scans. Covers only the five shallow scan categories.
{
"service_name": "new-service",
"version": "1.0.0",
"description": "Governance baseline for new services before deep scan is enabled",
"gates": [
{
"category": "governance",
"severity": "medium",
"threshold": 0,
"blocking": true,
"description": "README, CI workflow, and test files required"
},
{
"category": "security",
"severity": "medium",
"threshold": 0,
"blocking": true,
"description": "Block on any shallow security findings"
},
{
"category": "dependency",
"severity": "medium",
"threshold": 0,
"blocking": false,
"description": "Dependency issues informational at this stage"
}
]
}