A blazing-fast DevOps security CLI built in Rust — zero-trust supply chain protection, test impact analysis, secret scanning, AST-based SAST, PR review intelligence, Kubernetes linting, coverage gates, and dependency auditing — in a single zero-dependency binary.
Documentation · Commands · CI Integration · Config Reference
GreenGate is a single compiled Rust binary that replaces a collection of loosely connected CI security scripts. It intercepts npm/yarn/pnpm/bun installs with a zero-trust supply chain gate, detects hardcoded secrets and PII with 26 built-in patterns, runs AST-based SAST with taint tracking, selects only the tests affected by a diff, and enforces coverage and complexity thresholds — all from one tool with no Node, Python, or JVM runtime required.
| Command | Purpose |
|---|---|
greengate watch-install |
Zero-trust supply chain gate — 3-layer protection: pre-flight script scan (entropy + network/eval patterns), runtime phantom-file detection, post-install exec-drop detection |
greengate tia |
Test impact analysis — AST import parsing determines exactly which tests are affected by a diff; pipe into pytest/jest/go test |
greengate scan |
Secrets, PII & AST-based SAST for JS/TS/Python/Go |
greengate audit |
OSV dependency vulnerability audit (npm, Cargo, PyPI, Go, Maven, NuGet) |
greengate review |
PR Complexity Score + new-code coverage gaps with GitHub Check Run annotations |
greengate lint |
Kubernetes manifest linting |
greengate docker-lint |
Dockerfile best-practice checks |
greengate coverage |
LCOV / Cobertura coverage threshold gate |
greengate lighthouse |
PageSpeed Insights performance gate |
greengate reassure |
React component render regression gate |
greengate sbom |
CycloneDX 1.5 SBOM generation |
greengate run |
Run all quality gates from .greengate.toml |
greengate install-hooks |
Install as git pre-commit hook |
macOS (Apple Silicon):
curl -sL https://github.com/thinkgrid-labs/greengate/releases/latest/download/greengate-macos-arm64 \
-o /usr/local/bin/greengate && chmod +x /usr/local/bin/greengatemacOS (Intel):
curl -sL https://github.com/thinkgrid-labs/greengate/releases/latest/download/greengate-macos-amd64 \
-o /usr/local/bin/greengate && chmod +x /usr/local/bin/greengateLinux (x64):
curl -sL https://github.com/thinkgrid-labs/greengate/releases/latest/download/greengate-linux-amd64 \
-o /usr/local/bin/greengate && chmod +x /usr/local/bin/greengateWindows (x64) — PowerShell:
Invoke-WebRequest -Uri "https://github.com/thinkgrid-labs/greengate/releases/latest/download/greengate-windows-amd64.exe" `
-OutFile "$env:USERPROFILE\.local\bin\greengate.exe"Build from source (Rust 1.85+):
cargo install --git https://github.com/thinkgrid-labs/greengate# Zero-trust supply chain gate — static script scan + runtime dropper detection
greengate watch-install npm ci
# Scan for hardcoded secrets, PII, and SAST issues
greengate scan
# Audit dependencies for known CVEs (OSV database)
greengate audit
# Test impact analysis — run only tests affected by changes since main
pytest $(greengate tia --base main)
# Analyze a PR: complexity score + new-code coverage gaps
greengate review --base main --coverage-file coverage/lcov.info
# Enforce 80% minimum coverage
greengate coverage --file coverage/lcov.info --min 80
# Lint Kubernetes manifests
greengate lint --dir ./k8s
# Install as a git pre-commit hook
greengate install-hooks
# Run all gates from config
greengate run- name: Install GreenGate
run: |
curl -sL https://github.com/thinkgrid-labs/greengate/releases/latest/download/greengate-linux-amd64 \
-o /usr/local/bin/greengate && chmod +x /usr/local/bin/greengate
# Zero-trust supply chain gate — static script scan + runtime dropper detection
- name: Zero-trust supply chain install
run: greengate watch-install npm ci
- name: Secret, PII & SAST scan
run: greengate scan --annotate
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Dependency audit (OSV)
run: greengate audit
- name: Test impact analysis
if: github.event_name == 'pull_request'
run: |
TESTS=$(greengate tia --base "${{ github.event.pull_request.base.sha }}")
if [ -n "$TESTS" ]; then pytest $TESTS; fi
- name: PR review (complexity + coverage gaps)
if: github.event_name == 'pull_request'
run: |
greengate review \
--base "${{ github.event.pull_request.base.sha }}" \
--coverage-file coverage/lcov.info \
--min-coverage 80 \
--annotate
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
GITHUB_SHA: ${{ github.sha }}
- name: Coverage gate
run: greengate coverage --file coverage/lcov.info --min 80See CI/CD Integration for full GitHub Actions, GitLab CI, Bitbucket, and CircleCI examples.
Create .greengate.toml in your repo root. All fields are optional:
[supply_chain]
block_phantom_scripts = true
enforce_sandbox = true
allow_postinstall = ["esbuild", "prisma", "@swc/core"]
[tia]
test_patterns = ["**/*.test.ts", "**/*.test.js", "**/test_*.py", "**/*_test.go"]
[scan]
exclude_patterns = ["tests/**", "*.test.ts", "vendor/**"]
entropy = true
entropy_threshold = 4.5
[coverage]
file = "coverage/lcov.info"
min = 80.0
[review]
min_new_code_coverage = 80
complexity_budget = 0 # 0 = warn only; > 0 = hard fail threshold
[pipeline]
steps = ["scan", "review --base main --coverage-file coverage/lcov.info", "coverage", "audit"]Full reference → Configuration Reference
Full guides, command references, and CI examples live in the docs site:
- Getting Started
- CI/CD Integration
- Use Cases
- Commands: watch-install · tia · scan · audit · review · coverage · lint · docker-lint · lighthouse · reassure · sbom · run
- Reference: Config · Secret Patterns · SAST Rules · Output Formats · Exit Codes · Roadmap
GreenGate is open source under the MIT License. See CONTRIBUTING.md for details on adding secret patterns, SAST rules, and running tests.
cargo test # unit + integration tests
cargo clippy # lint
cargo fmt --check # formatting