Skip to main content
CodeGate inspects what your AI coding tools are about to trust — before they execute it. It scans MCP server configs, hooks, rules, skills, and workspace settings for hidden risks, giving you visibility and control before any agent runs.

Quick Start

Install CodeGate and run your first scan in under two minutes.

Why CodeGate

Understand the threat landscape that motivated this project.

scan command

Scan directories, files, or URLs for AI tool config risks.

Configuration

Customize thresholds, suppression rules, and output formats.

How CodeGate works

CodeGate runs a layered analysis pipeline on your AI tool configuration surfaces before anything executes.
1

Discovery (Layer 1)

CodeGate walks your project directory and locates all AI tool configuration files — MCP server definitions, hooks, rules, skills, IDE settings, and workspace configs.
2

Static analysis (Layer 2)

A rule engine evaluates each discovered artifact offline, flagging patterns like environment variable overrides, command injection paths, consent bypass attempts, and rule injection.
3

Deep scan (Layer 3, opt-in)

When you pass --deep, CodeGate fetches external MCP server metadata and routes it through a local AI meta-agent for deeper behavioral analysis.
4

Remediation (Layer 4, opt-in)

With --remediate or --fix-safe, CodeGate proposes or applies fixes. Every change is backed up under .codegate-backup/ and reversible with codegate undo.

Key capabilities

Wrapper mode

codegate run claude scans first and blocks dangerous launches automatically.

Workflow audits

Audit GitHub Actions workflows for supply chain risks and injection patterns.

Multiple output formats

Export findings as JSON, SARIF, Markdown, HTML, or terminal output.

CI integration

Upload SARIF results directly to GitHub Code Scanning.
CodeGate is an awareness and pre-flight inspection tool. It improves visibility and decision quality — it is not a guarantee of safety and does not replace secure engineering review.