Pre-Commit & Pre-Merge Compliance Gate
Quick Start · How It Works · 18 Security Gates · Installation · Configuration · CLI Usage
ControlGate is an AI-powered agent skill that scans your code changes against the NIST SP 800-53 Rev. 5 (and FedRAMP) security framework before every commit and merge. It maps findings directly to specific NIST control IDs, providing traceable compliance evidence and actionable remediation guidance.
# Install
pip install controlgate
# Bootstrap project (creates .controlgate.yml, pre-commit hook, CI workflows)
controlgate init
# Full repo audit (first-time scan)
controlgate scan --mode full --format markdown
# Scan staged changes (NIST baseline)
controlgate scan --mode pre-commit --format markdown
# Scan staged changes (FedRAMP baseline)
controlgate scan --gov --baseline moderate --mode pre-commit --format markdown
# Scan PR diff against main
controlgate scan --mode pr --target-branch main --format json markdownDeveloper writes code
↓
git commit / Pull Request
↓
ControlGate intercepts the diff
↓
18 Security Gates scan against 370 non-negotiable NIST controls
↓
Verdict: BLOCK / WARN / PASS
| # | Gate | NIST Families | What It Catches |
|---|---|---|---|
| 1 | Secrets | IA-5, SC-12, SC-28 | Hardcoded creds, API keys, private keys |
| 2 | Crypto | SC-8, SC-13, SC-17 | Weak algorithms, missing TLS, ssl_verify=False |
| 3 | IAM | AC-3, AC-5, AC-6 | Wildcard IAM, missing auth, overprivileged roles |
| 4 | Supply Chain | SR-3, SR-11, SA-10 | Unpinned deps, missing lockfiles, build tampering |
| 5 | IaC | CM-2, CM-6, SC-7 | Public buckets, 0.0.0.0/0 rules, root containers |
| 6 | Input Validation | SI-10, SI-11 | SQL injection, eval(), exposed stack traces |
| 7 | Audit | AU-2, AU-3, AU-12 | Missing security logging, PII in logs |
| 8 | Change Control | CM-3, CM-4, CM-5 | Unauthorized config changes, missing CODEOWNERS |
| 9 | Dependencies | SA-12, RA-5, SI-2 | Vulnerable packages, missing lockfiles |
| 10 | API Security | SC-8, AC-3, SI-10 | Unauthenticated endpoints, missing rate limiting |
| 11 | Privacy | AR-2, DM-1, IP-1 | PII exposure, missing data classification |
| 12 | Resilience | CP-2, CP-10, SC-5 | Missing retry logic, no circuit breakers |
| 13 | Incident Response | IR-2, IR-4, IR-6 | Missing error handlers, no alerting integration |
| 14 | Observability | AU-6, SI-4, CA-7 | Missing health checks, no structured logging |
| 15 | Memory Safety | SI-16, SA-11, SA-15 | Buffer overflows, unsafe memory operations |
| 16 | License Compliance | SA-4, SR-3 | GPL contamination, unlicensed dependencies |
| 17 | AI/ML Security | SA-11, SI-7, AC-3 | Untrusted model sources, prompt injection risk |
| 18 | Container Security | CM-6, AC-6, SC-7 | Root containers, privileged mode, latest tags |
pip install controlgate# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: controlgate
name: ControlGate Security Scan
# For FedRAMP baselines, add `--gov --baseline moderate` to the entry command
entry: python -m controlgate scan --mode pre-commit --format markdown
language: python
always_run: trueCopy hooks/github_action.yml to .github/workflows/controlgate.yml in your repo.
Create a .controlgate.yml in your project root:
baseline: moderate # low | moderate | high | privacy | li-saas
gov: false # set to true to evaluate against FedRAMP baselines
gates:
secrets: { enabled: true, action: block }
crypto: { enabled: true, action: block }
iam: { enabled: true, action: warn }
sbom: { enabled: true, action: warn }
iac: { enabled: true, action: block }
input_validation: { enabled: true, action: block }
audit: { enabled: true, action: warn }
change_control: { enabled: true, action: warn }
deps: { enabled: true, action: warn }
api: { enabled: true, action: warn }
privacy: { enabled: true, action: warn }
resilience: { enabled: true, action: warn }
incident: { enabled: true, action: warn }
observability: { enabled: true, action: warn }
memsafe: { enabled: true, action: warn }
license: { enabled: true, action: warn }
aiml: { enabled: true, action: warn }
container: { enabled: true, action: warn }
thresholds:
block_on: [CRITICAL, HIGH]
warn_on: [MEDIUM]
ignore: [LOW]
exclusions:
paths: ["tests/**", "docs/**", "*.md"]
full_scan:
extensions: [.py, .js, .ts, .go, .tf, .yaml, .yml, .json, .sh]
skip_dirs: [.git, node_modules, .venv, dist, build]# Bootstrap project
controlgate init
controlgate init --baseline high --no-docs
# Scan staged changes (pre-commit mode)
controlgate scan --mode pre-commit --format markdown
# Full repository scan
controlgate scan --mode full --format markdown
controlgate scan --mode full --path ./src --format json
# Scan PR diff
controlgate scan --mode pr --target-branch main --format json markdown sarif
# Scan PR diff explicitly against FedRAMP baselines
controlgate scan --gov --baseline high --mode pr --target-branch main --format json markdown sarif
# Scan a saved diff file
controlgate scan --diff-file path/to/diff --format json
# Output reports to directory
controlgate scan --output-dir .controlgate/reports --format json markdown sarif
# Catalog management
controlgate update-catalog
controlgate catalog-info| Format | Use Case |
|---|---|
markdown |
PR comments, terminal output |
json |
Programmatic consumption, dashboards |
sarif |
GitHub Code Scanning integration |
make install-dev # Install with dev dependencies
make test # Run tests
make test-cov # Run tests with coverage
make lint # Lint with ruff
make format # Auto-format code
make typecheck # Type check with mypy
make check # Run all checks (lint + typecheck + test)
make build # Build distribution packagesControlGate provides native skills for popular AI coding assistants. These skills teach the agents how to proactively scan your code for NIST 800-53 R5 compliance and automatically apply remediations.
The agent prompts and workflows are located in the skills/ directory and are published to their respective marketplaces/repositories:
- Antigravity: Full workflow definitions available in
skills/antigravity/controlgate/ - Cursor: Repository rules available in
skills/cursor/.cursorrules - Claude Code: System prompt instructions in
skills/claude_code/.clauderules - CodeEx: Integration prompts in
skills/codeex/instructions.md
To validate the capabilities of ControlGate, we maintain a standalone test suite at sadayamuthu/controlgate-test-suite. This suite contains intentionally vulnerable projects spanning multiple languages and frameworks, specifically designed to trigger each of the 18 Security Gates. It is automatically executed in the CI pipeline to ensure zero regression in detection capabilities.
Powered by the NIST Cloud Security Baseline (NCSB) enriched catalog:
- 1,189 controls across 20 families
- 370 non-negotiable at Moderate baseline
- 247 code-relevant controls mapped to automated scanning rules
MIT
ControlGate is an open-source NIST RMF & FedRAMP compliance tool
ControlGate is managed by OpenAstra.
PyPI · GitHub · Test Suite