Skip to main content
CodeGate is distributed as an npm package (codegate-ai). You can run it without a global install or install it globally for regular use.
1

Install CodeGate

You can run CodeGate without installing it globally using npx. If you plan to use it regularly, a global install is more convenient.
npx codegate-ai scan .
After a global install, the codegate command is available everywhere.
2

Initialize your config

codegate init
This creates ~/.codegate/config.json with default settings, giving you an explicit starting point to tune behavior — severity thresholds, output format, user-scope scanning, and tool discovery preferences.
codegate init is optional. If you skip it, CodeGate works with built-in defaults and nothing breaks. Running it is recommended so your configuration is explicit and easy to adjust later.
3

Run your first scan

From inside any project directory:
codegate scan .
CodeGate walks the directory, discovers AI tool configuration files, and evaluates them with the static rule engine. Findings are printed to the terminal with severity levels and remediation guidance.To export results as JSON or SARIF instead:
codegate scan . --format json
codegate scan . --format sarif --output codegate.sarif
4

Use wrapper mode

Instead of scanning and launching separately, use codegate run to scan first and only launch your AI tool if the policy allows it:
codegate run claude
Valid targets are claude, codex, opencode, cursor, windsurf, and kiro.If CodeGate finds dangerous findings at or above your configured severity threshold, tool launch is blocked. If files change between the scan and the launch check, launch is also blocked and a rescan is required.
# Launch Codex after a clean scan
codegate run codex

# Skip the warning-level confirmation prompt
codegate run claude --force

Next steps

Introduction

Learn what CodeGate is, what it scans, and what it does not guarantee.

scan command reference

Full list of scan flags, collection modes, and persona options.

Configuration

Tune severity thresholds, suppression rules, and trusted directories.

CI integration

Upload SARIF results to GitHub Code Scanning.