Gate types
Gates in a ticketyboo Contract reference finding categories produced by Gatekeep scans. Each gate specifies a category, a severity level, and optionally a threshold.
Finding categories
Gatekeep assigns every finding to one category. The category maps directly to the scan layer that produced it. Gates in Contracts reference these same category identifiers.
| Category | Scan type | What it covers |
|---|---|---|
governance |
Shallow | Missing README, no CI/CD pipeline, no tests directory |
dependency |
Shallow + Deep | Missing dependency manifest (shallow); vulnerable or unpinned dependencies via GHSA (deep) |
code_quality |
Shallow + Deep | No linting config (shallow); cyclomatic complexity, long functions, type hint coverage, TODO density (deep) |
security |
Shallow | Committed .env files, missing .gitignore |
iac |
Shallow + Deep | Missing Terraform lock file (shallow); S3 encryption, security group ingress, IAM wildcards, RDS encryption, CloudFormation misconfigs (deep) |
secret |
Deep only | Hardcoded credentials: AWS keys, private keys, database URLs, generic tokens, high-entropy assignments |
sast |
Deep only | AST-based Python analysis (command injection, SQL injection, insecure deserialization, XSS, path traversal, weak cryptography); regex-based JS/Go/Ruby analysis |
license |
Deep only | Missing license file, unrecognised license, copyleft license detected, package.json license field inconsistency |
quality |
Deep only | Python AST: large files, high TODO count, low type hint coverage, high cyclomatic complexity, long functions |
Shallow scans check five categories: governance, dependency, code_quality, security, and iac. Deep scans also run the secret, sast, license, and quality layers. Gates referencing deep-only categories will never fail on a shallow scan (no findings are produced).
Gate structure
Each gate in a Contract specifies:
- category: one of the nine values above
- severity: the severity level to check (critical, high, medium, low, info)
- threshold: optional integer. If omitted or zero, the gate fails if any finding of this category/severity exists. If set, the gate fails only if the count exceeds the threshold.
- blocking: boolean. If true, a failing gate blocks the PR. If false, the gate is advisory only.
See Thresholds and Severity levels for details on those fields.
Source reference
Finding categories and severities are defined in demos/scanner/api/models.py (Finding.category and Finding.severity fields). The shallow checkers are in demos/scanner/api/scanner.py. The deep layer classes are in demos/scanner/api/layers/.