Skip to content

Features

Three products.
One governance layer.

Define rules your team writes once as YAML. Enforce them as you write. Prove compliance at the PR boundary.

DevContracts

Define rules your team writes once as YAML. Preventative layer.

Contracts are YAML files that describe what good code looks like for your project. They encode the rules your team already agrees on, before code is written.

  • Rule definitions in YAML: security patterns, style requirements, dependency policies
  • Stored in the repo alongside the code they govern
  • Versioned and reviewed through the same PR process as everything else
  • Referenced by both tickety-ai (in-editor) and Gatekeep (at the PR boundary)
  • Apache 2.0 licensed. Self-host or use the managed service.
Try the scanner →
Example Contract definition
# .tickety/contracts/security.yaml name: security-baseline version: 1.0.0 gates: - id: no-hardcoded-secrets layer: secret severity: blocking - id: dependency-cve-critical layer: dependency threshold: CRITICAL severity: blocking - id: iac-no-public-s3 layer: iac severity: blocking - id: type-hint-coverage layer: quality min_coverage: 0.8 severity: warning
Gates reference the six scan layers. Blocking gates fail the PR. Warning gates appear in the evidence report.
In-editor feedback
!
Hardcoded credential detected Matches secret pattern AWS_SECRET_ACCESS_KEY. Contract: security-baseline gate: no-hardcoded-secrets
!
Unpinned dependency: requests requirements.txt line 4. Pin to a specific version to enable reproducible builds.
i
Function complexity: 22 process_batch() exceeds threshold of 15. Consider splitting.
Findings appear inline as you write. No context switch to a CI dashboard.
tickety-ai

Contract checks in VS Code, as you write. In-editor feedback.

tickety-ai is the VS Code extension that runs your Contracts locally. It checks the file you are editing against the gates defined in your project's Contract, before you commit.

  • Reads your project's Contract from .tickety/contracts/
  • Runs the six scan layers on save or on demand
  • Findings appear inline, linked to the gate that triggered them
  • Works with the managed API or your own key (BYOK)
  • Fully compatible with Gatekeep: no duplicate rules, shared gate IDs
See the extension →
Gatekeep

Enforce Contracts at the PR boundary. Detective layer.

Gatekeep runs the same scan layers as tickety-ai, but at the point of merge. It reads the project Contract, runs the gates, and blocks the PR if blocking gates fail. A SHA-256 signed evidence report is stored in S3 after every run.

  • Triggered by GitHub PR events via webhook or GitHub Actions step
  • Reads the Contract from the branch under review
  • Blocking gates fail the check and surface findings in the PR review
  • Warning gates appear in the evidence report but do not block
  • Produces evidence.json: SHA-256 signed, S3-stored, timestamped
  • Same six scan layers as tickety-ai. Same gate IDs. Consistent results.
See Gatekeep →
evidence.json (per Gatekeep run)
"scan_id": "gk-20260331-a1b2c3", "repo": "acme/payments-service", "pr": 142, "commit": "4f8a2d1", "contract": "security-baseline@1.0.0", "verdict": "PASS", "gates_evaluated": 4, "gates_passed": 4, "gates_failed": 0, "findings": [], "sha256": "e3b0c44298fc1c14...", "timestamp": "2026-03-31T07:15:02Z"
Every run produces a signed evidence record. Stored in S3. Retrievable via /api/scan/{id}/report.

System design

How the three products work together

The same Contract file governs all three stages. Write the rule once; enforce it everywhere.

Contracts

Define gates in YAML. Commit them to the repo. Version them with the code.

tickety-ai

Reads the Contract from .tickety/. Runs gates on save. Shows findings inline in VS Code.

Gatekeep

Reads the same Contract at PR time. Blocks merges that fail blocking gates. Stores signed evidence.

Gate IDs are shared across the toolchain. A finding in tickety-ai maps to the same gate that Gatekeep would fail at PR time. No configuration drift between the editor and the pipeline.

Scan layers

Six layers run on every scan

Both tickety-ai and Gatekeep use the same six analysis layers. Each layer targets a specific category of risk.

Secret detection

Regex patterns for AWS keys, private keys, database URLs, and bearer tokens. Shannon entropy scoring to catch high-entropy strings that pattern matching misses. Redacts values in findings output.

Dependency audit

Parses requirements.txt, package.json, Pipfile, pyproject.toml, go.mod, and Gemfile. Queries the GitHub Advisory Database for CVEs. Flags unpinned versions that cannot be audited for vulnerabilities.

SAST

Python AST analysis for command injection, SQL injection, insecure deserialization, XSS, path traversal, and weak cryptography. Regex-based patterns for JavaScript, Go, and Ruby.

IaC review

Terraform HCL2 and CloudFormation checks. S3 encryption and public ACL settings, security group open ingress rules, IAM wildcard actions, RDS encryption at rest.

Licence compliance

SPDX classification of all detected licence files. Flags copyleft licences (GPL, AGPL, LGPL) that may conflict with your distribution model. Checks package.json licence field consistency.

Code quality

Python AST: cyclomatic complexity (threshold 15), function length (100 lines), file length (500 lines), type hint coverage (flags below 50%). Universal TODO density scan across all file types.

Scanner Pro

Free scan finds patterns. Pro scan runs production tools.

The free scanner uses heuristic layers — pattern matching and AST analysis written in pure Python. Scanner Pro runs six production security tools inside a container image Lambda. The distinction matters when findings need to be cited in governance audit trails.

bandit — Python SAST

bandit.core programmatic API over all Python files. CWE-mapped findings, confidence scores, line-level locations. The same tool CI/CD pipelines use.

semgrep p/ci — Multi-language SAST

semgrep with the curated p/ci ruleset. Covers Python, JS/TS, Go, Java, Ruby. Bundled in the container — no registry download at scan time.

checkov — IaC security

Programmatic RunnerRegistry over Terraform, CloudFormation, Kubernetes, and Dockerfile. 1,000+ built-in policies. CKV IDs in every finding.

detect-secrets — Credential scanning

SecretsCollection API over all files. Plugin-based pattern matching for AWS keys, Stripe keys, private keys, and more. Values redacted in output.

pip-audit — CVE database

pip-audit subprocess over requirements.txt, Pipfile, and pyproject.toml. Queries the PyPA advisory database. CVE IDs and fix versions in output.

ruff — Code quality

ruff subprocess in JSON mode. E/F rules map to high severity, W rules to medium. The fastest Python linter available — sub-second on large codebases.

method_label: "tool_verified"

Every Pro finding carries method_label: "tool_verified" — the same vocabulary token used by Gate devcontract evaluators when a check is verified by a deterministic tool. Pro findings are formally citeable in Gatekeep evidence chains without schema translation. 1 credit per scan.

Try Scanner Pro →

Connectors

Scan systems — not just repos.

Connectors pull live findings from cloud platforms, SaaS products, and identity providers into the same RST scoring engine. Each connector runs on your infrastructure; your credentials never leave your account.

① GitHub
Repo posture, branch protection, secret scanning, Actions security. The baseline connector.
✓ Live
② AWS
SecurityHub findings, IAM credential report, Config rules, Access Analyzer, resource tagging.
✓ Available
③ Salesforce
Security Health Check, MFA posture, sharing rules, Connected Apps, Apex coverage, inactive licences.
✓ Available
④ Entra ID
Conditional Access policies, MFA enforcement, service principal audit, privileged role assignments.
✓ Available
⑤ Microsoft 365
Secure Score findings, mailbox audit, Teams external access, SharePoint sharing policies.
✓ Available
⑥ GCP / GSuite
Security Command Center findings, IAM policy audit, org policy violations, workspace admin settings.
⟳ In development
⑦ SQL / Data Warehouse
Privilege audit, public schema exposure, audit logging config, superuser counts. Postgres, MSSQL, Redshift.
⟳ In development
⑧ Prowler ingest
Ingest adapter for Prowler scan output — standard JSON or OCSF format. Bring your own scan results.
⟳ In development
⑨ OCSF ingest
Generic OCSF 1.x ingest adapter. Accepts findings from Wiz, Lacework, Orca, and any CISA-standard exporter.
⟳ In development
⑩ ERP / Dynamics 365
Inactive users, privileged roles, segregation-of-duties conflicts, audit log config, service account hygiene.
⟳ In development
⑪ Integration / MuleSoft
App status, API policy coverage, exposed HTTP endpoints, runtime version, connected app credential rotation.
⟳ In development
Self-serve

Deploy the connector Lambda in your own AWS account. Configure via SSM Parameter Store. Your credentials stay in your infrastructure.

Managed scan

We run the connector for you as part of a consulting engagement. No infrastructure required on your side.

Start free → Contact for managed scan

Start governing your PRs free

Connect your repo. Write your first DevContract. Every PR checked automatically. No credit card required.

Start free → Scan a public repo first

© 2026 ticketyboo. Apache 2.0 licensed.

Unsubscribe