// AI DEVSECOPS AUTOMATION · CI/CD RELEASE GATES PRO
Explainable CI/CD security gates with an aggregated release verdict.
Feed in your scanner output — SARIF, SCA, secrets, IaC — and get one clear answer: GO, CONDITIONAL, or NO-GO. Every gate shows exactly why it passed, warned, or failed, so a blocked release is never a black box. Tune the thresholds to match your risk appetite.
Recent pipeline runs
| When | Format | Findings | Crit/High | Gates F/W | Verdict |
|---|---|---|---|---|---|
| Jul 1, 07:16 | text | 25 | 0/6 | 1/0 | NO-GO |
Metadata only — scan output is never stored.
How release gating works
Modern pipelines run many security scanners — SAST, dependency/SCA, secret detection, IaC and container scanning — and each emits its own report. This tool normalizes them into one findings model (it understands SARIF, common scanner JSON, and simple severity summaries), then runs a set of explainable policy gates. Each gate is a rule with a threshold — fail on any critical, fail on secrets, fail above your chosen number of highs — and it reports pass, warn, or fail with the exact count and reason.
One aggregated verdict
The gates roll up into a single decision: any failing gate yields NO-GO; otherwise a warning yields CONDITIONAL; a clean run yields GO. Because every gate explains itself, engineers see precisely what to fix to turn a NO-GO into a GO — and you can tune the thresholds to match your risk appetite. It is a decision aid for your pipeline, not a replacement for the scanners themselves.
Frequently asked questions
What do I paste in?
The output of your CI/CD security scanners: SARIF JSON (CodeQL, Semgrep, Trivy…), a generic findings array, a Trivy report, or a simple severity summary like "critical: 0, high: 3". It normalizes all of them.
What is an "explainable gate"?
Each gate is a policy rule (e.g. "fail on any critical", "fail on secrets", "fail above 5 high") that returns pass, warn, or fail with a plain reason and the count that triggered it — so a NO-GO is never a black box.
How is the release verdict decided?
It aggregates all gates: any failing gate makes it NO-GO; otherwise any warning makes it CONDITIONAL; if everything passes it is GO. You can tune the thresholds before running.
Do you store my scan results?
No. The input is evaluated for your session and discarded. Only metadata is recorded — format, finding counts, gate results, verdict, and risk score — never the scan output itself.
Can I wire this into my pipeline?
This page is for interactive evaluation and policy tuning. The same gate logic is designed to run as a pipeline step; contact us for API/early access to automate it in CI.