Secret scanning, AST-based SAST (JS/TS/Python/Go), Kubernetes linting, coverage gates, SBOM generation, dependency auditing, and web performance — single zero-dependency binary.
Drop a single compiled Rust binary into any CI pipeline, Docker image, or developer machine. No Node, Python, or JVM required.
tree-sitter parses JS/TS/TSX/JSX, Python, and Go into a real AST. For JS/TS, Tier-1 intra-procedural taint tracking traces user-controlled input through variable assignments to XSS and injection sinks. Confirmed chains are labelled [tainted]; sanitizer-backed values are suppressed automatically.
Parallel file scanning via rayon across all CPU cores. Typical repositories scan in under a second.
26 built-in patterns covering AWS, Azure, GCP, Stripe, GitHub, Twilio, Expo, Sentry, Mapbox, and more.
Validates workload manifests for missing resource limits, probes, unpinned images, and root containers.
Audits Dockerfiles for unpinned base images, ADD instead of COPY, missing USER, missing HEALTHCHECK, exposed dangerous ports, and more.
Parses lcov.info and fails the build when line coverage drops below a configurable threshold. Zero external tools required.
Queries the OSV vulnerability database for known CVEs across 6 ecosystems. Offline-capable with a local cache. Suppress known-acceptable transitive advisories per-ID via ignore_advisories in .greengate.toml.
Lighthouse audits via the PageSpeed Insights API gate on performance, accessibility, best practices, and SEO scores.
Compares React Native component render measurements against a baseline and fails when any component regresses beyond a threshold.
Generates CycloneDX 1.5 JSON SBOMs from Cargo.lock, package-lock.json, requirements.txt, and go.sum. No internet access required.
Five output formats — SARIF 2.1.0, JSON, JUnit XML, GitLab SAST, and plain text. Direct GitHub Check Run annotations with rich PR summary comments.