Know before you ship.

The pre-deploy release gate for AI agents. Paste any repo — release-gate finds the agent-layer risks SAST, guardrails, and evaluators structurally miss: model output reaching eval (the CVE-2025-51472 RCE class), user input in a system prompt, LLM loops with no cost ceiling. Every finding cites its evidence. Takes 10 seconds.

A SAST tool sees eval(x) but can't tell that x came from the model. That blind spot is the whole agent layer — and it's the gate release-gate stands on.

🔒 Scanning a private repo? Install the release-gate-ai App to grant read access — public repos work without it.

Running audit…

Sample output

$ release-gate audit myorg/my-ai-agent
Agents OpenAI / Agents SDK, LangChain
Agent Code Safety  28/100  BLOCK  4 high · 18 med
  the model’s own output assistant_replyeval()  agent.py:149
Governance        50/100  Partial  4/8 safeguards declared
Decision: ✗ BLOCK
The eval() of model output is the CVE-2025-51472 RCE class — the agent-layer risk SAST, guardrails & evaluators miss.

The governance safeguards

One of two axes. Every safeguard maps to a real production failure — no checkbox theater. The other axis, Agent Code Safety, scans the code itself for the agent-layer risks SAST misses (below).

🏛️

Governance config

Governance lives in heads, not docs. Knowledge walks out the door.

📊

Eval evidence

No tests = no signal. You're guessing in prod.

🔍

Trace / tool policy

Silent tool misuse. No audit trail when something goes wrong.

💰

Budget ceiling

One prompt injection → $10k overnight. No ceiling = no floor.

🔴

Kill switch / fallback

Agent misbehaves at 2am. No kill switch = 45-min deploy to fix it.

👤

Team owner

Incident at 3am. Who do you page? "The team" is not an answer.

🔐

Auth & rate limiting

Unprotected endpoint = denial-of-wallet attack in minutes.

Agent Safety Scan

Scan your agent code for the risks SAST tools miss

Point it at any GitHub repo running an LLM agent. It finds the failure modes that only exist once a model is in the loop — prompt-injection surfaces, exec sinks fed by model output, LLM calls with no token ceiling, and hardcoded keys. SonarQube won’t flag these; this is the layer on top.

Paste any public GitHub repo that runs an LLM agent — e.g. github.com/your-org/your-agent. Sign up free to see every finding with file:line.

Who it's for

Built for every team shipping AI into production

Whether you're a solo engineer or a platform team governing dozens of agents — release-gate fits into how you already work.

🤖
AI / ML Engineers
Teams shipping AI agents
You built a LangChain, CrewAI, or Agents SDK app and you're about to push it to prod. release-gate checks that budget ceilings, fallback logic, and eval evidence are actually in place — not just planned.
Catch missing safeguards before your manager does
💬
Product & Platform Teams
LLM-powered apps & copilots
Your app calls GPT-4 or Claude on every user request. One bad prompt, one rate-limit gap, or one missing kill switch and you're dealing with a public incident. release-gate makes the checklist automatic.
Ship with confidence, not crossed fingers
🔧
Backend Engineers
Tool-calling & agentic systems
Your agent reads files, calls APIs, writes to databases. Without a declared tool policy and rate limits, one loop bug costs you real money and real data. release-gate surfaces those gaps before deploy.
Know which tools are allowed before they're abused
🏢
Enterprise & Security Teams
Internal copilots & assistants
You're deploying an internal AI assistant to thousands of employees. Legal wants an audit trail. Security wants auth enforced. release-gate gives you a machine-readable evidence pack for every release.
Audit trail ready for compliance review
⚙️
Infrastructure & MLOps
Self-hosted & open-weight models
You're running Llama, Mistral, or a fine-tuned model on your own infra. No managed guardrails, no built-in cost control. release-gate checks that you've declared your own — because nobody else will.
Governance that works without a cloud provider
📊
Data Science & Analytics
Prediction & scoring models
Your model scores loan applications, flags fraud, or ranks candidates. release-gate checks for eval evidence and team ownership — the two things regulators ask about first when something goes wrong.
Evidence pack ready before the auditor asks

Zero extra infrastructure

One pip install. Works in your terminal, your CI, or via API. No cloud containers, no agents to host, no SaaS dependency for the core tool.

💻 CLI (Terminal)

$ pip install release-gate $ release-gate audit https://github.com/org/agent   Score 60/100 HOLD ✗ governance_file ✓ budget_ceiling ... $ release-gate audit . --emit-config -o governance.yaml

Your machine. Your terminal. No account needed.

⚙️ GitHub Actions

- uses: VamsiSudhakaran1/release-gate@v0.8.2 with: command: audit path: . # Exit 0=PROMOTE · 10=HOLD · 1=BLOCK

5 lines in your workflow. Score appears in PR summary.

🌐 SaaS API

POST /api/audit { "url": "https://github.com/org/agent" }   → { score: 60, decision: "HOLD", safeguards: { ... } }

Use from any language. Full history + dashboard for teams.

The Verify phase for agent loops

Every agent loop needs a checker that isn’t the same model that wrote the output. Release Gate owns the Verify step — returning CONTINUE, SHIP, or ROLLBACK after each iteration.

Discover Plan Execute ✓ Release Gate Verify Iterate

💻 CLI (local loops)

$ release-gate verify governance.yaml \ --iteration 3 --cost 0.12 \ --trace trace.jsonl --json   { "decision": "SHIP", "cost_remaining": 0.88 }   # exit 0=SHIP 10=CONTINUE 1=ROLLBACK

Works in any shell loop. No account needed.

🌐 API (live loops)

POST /api/verify { "iteration": 3, "cost_so_far": 0.12, "trace": { "steps": [...] }, "loop_id": "my-loop-001" }   → { "decision": "CONTINUE", "warnings": ["8/10 iterations used"] }

Call from any language. Each iteration is persisted.

📋 Governance

# governance.yaml loop: max_iterations: 10 total_cost_limit: 1.00 cost_per_iteration_limit: 0.15 maker_model: claude-opus-4-8 checker_model: claude-haiku-4-5

Declare the policy once. Release Gate enforces it every iteration.

🧪 Try the Loop Verifier

Runs against the live /api/verify endpoint — requires a free account and API token. Without auth the result is a local simulation.

See it decide — live

Three lenses on the same agent. All run server-side and return one decision.

Runs the agent through a behaviour battery — Safety, Correctness, Loop, Cost — for a 0–100 score. Watch the canary safety gate fire.

Built-in demo agents scored server-side — no account needed. Score your own: release-gate agent-score py:my_pkg:run

Built for teams, not just individuals

The CLI is always 100% free and unlimited — no scan caps, no account required, works in any CI pipeline. The platform adds what CLI can’t: persistent history, team visibility, and compliance audit trail.

Scan limits below apply only to hosted web scans. Local CLI and CI usage is always unlimited.

Visitor
$0
no account needed
3 playground scans/day
  • Score & decision
  • 2 safeguards visible
  • No history
  • Partial results only
No sign-up needed
Starter
$0
free account
10 scans/month

Why pay if CLI is free? History & full results in the browser.

  • Full safeguard detail
  • Last 5 runs history
  • 1 repo tracked
  • Dashboard access
Sign up free →
Enterprise
Custom pricing
talk to us about your team size
Unlimited scans & repos

Why pay if CLI is free? Org-wide governance policy, compliance audit trail, SSO.

  • Everything in Pro
  • Unlimited repos & members
  • Org policy (min score)
  • PDF compliance reports
  • SSO / SAML
  • Slack alerts
  • Audit trail
  • GitHub App org-wide
Contact us →

Fits your stack

Add the agent layer to the security tooling you already run

SonarQube, Snyk and your SAST suite keep your code healthy. release-gate keeps your agent safe to ship. They’re complementary — release-gate doesn’t replace anything you already trust, it covers the layer those tools were never built to see.

Your SAST tools cover
The code layer
  • SQL injection, XSS, CSRF, path traversal
  • Vulnerable & outdated dependencies (CVEs)
  • Code smells, coverage, maintainability
  • Supply-chain & license risk
Keep running these. release-gate doesn’t duplicate them.
release-gate adds
The agent layer
  • Prompt-injection surfaces in system prompts
  • Cost-runaway loops & missing token ceilings
  • LLM output reaching eval/exec/shell sinks
  • Declared safeguards: budget ceiling, kill switch, owner, evals, trace policy
  • A single PROMOTE / HOLD / BLOCK ship decision
The failure modes that only exist once an LLM is in the loop.

A clean SonarQube report means your code won’t leak a buffer or run an injected query. It says nothing about whether your agent has a budget ceiling, a kill switch, or a prompt-injection surface in its system message. release-gate closes that gap — so “the code passed” and “the agent is safe to deploy” finally mean the same thing.

Security & privacy

We audit your repo — we don’t store your code. Here’s exactly how access works.

🔓
Public repos — no login
Public GitHub repos are scanned via the GitHub API with no authentication. No account or token needed — just paste the URL.
🔐
Private repos — read-only GitHub App
Private repo access uses a GitHub App installation token with read-only repository contents scope. The App cannot write code, open issues, or modify settings.
🧠
No training on your code
Source code scanned by release-gate is never used to train models. Static analysis runs in-process and results are stored as structured findings — not raw code.
💻
CLI runs 100% locally
The open-source CLI never phones home. It reads only the local directory you point it at. Your code stays on your machine, in your CI, or behind your firewall.
🏗️
Self-hostable
Run release-gate entirely in your own CI pipeline using the CLI — no cloud dependency, no data leaves your network. Enterprise users can also self-host the dashboard.
📄
Open-source core
The scanning engine, safeguard checks, and governance schema are fully open-source. Audit the code that audits your code.

FAQ

Questions, answered

What release-gate is, what it tests, and where it fits next to the tools you already use.

How is this different from guardrails like Lakera or NeMo?
Guardrails block a bad request at runtime — they live in the request path of a deployed agent. Release-gate answers a different question before you deploy: is this agent safe to ship at all? It runs a battery against the agent and returns one PROMOTE / HOLD / BLOCK verdict across safety, correctness, loop behavior, and cost. It's the release-decision layer above guardrails, not a replacement for them.
Does my agent have to be written in Python?
No. Point it at a Python callable (py:), a shell command (cmd:), or any HTTP endpoint. For HTTP you just tell it where the input and output live in the JSON — so LangServe, a plain FastAPI route, or an OpenAI-compatible API all work with no wrapper: agent-score "http://host/run#in=prompt&out=reply".
Why two scores — Agent Code Safety and Governance?
Because they answer different questions, and collapsing them into one number hides the truth. Agent Code Safety is objective: it scans your source for the agent-layer risks — prompt-injection surfaces, exec/shell sinks fed by model output, LLM calls with no token ceiling, hardcoded keys. It moves per repo and doesn't depend on adopting anything from us. Governance is maturity: have you declared the enforceable safeguards (budget ceiling, kill switch, owner, evals, trace policy)? A low Governance score means undeclared, not unsafe. Keeping them separate is why a clean codebase with no config still scores well on safety — no circular "you didn't adopt our file" penalty. Each score also shows the findings driving it, so it's never a black box.
Isn't Agent Code Safety just SonarQube?
No. SonarQube and SAST tools find SQL injection, XSS, CVEs and code smells — the code layer. Agent Code Safety finds the failure modes that only exist once an LLM is in the loop: user input flowing into a system prompt, model output reaching exec/a shell, an uncapped loop that can burn $10k overnight, a missing kill switch. SonarQube has no concept of any of those. Keep your SAST suite — this is the agent layer on top, not a replacement.
What kinds of issues does the scan actually catch?
The agent-layer failure modes behind real, documented incidents:
  • Prompt-injection surface — untrusted input interpolated into a system prompt. The pattern behind the Chevrolet dealership bot being talked into “selling” a car for $1, and OWASP’s #1 LLM risk.
  • Uncapped LLM calls / no cost ceiling — a single call or loop with no max_tokens or budget. The pattern behind the $4k weekend bills and $6.5k runaway-agent stories.
  • Unbounded loop around an LLM callwhile True: with no iteration cap and a stop condition that may never trigger. The AutoGPT-style runaway that turns a $5 task into $400.
  • Exec/eval sinks reachable from model outputeval(), exec(), shell=True, new Function() fed by model or user input — a remote-code-execution path.
  • Hardcoded secrets in agent code (a convenience check; use a dedicated scanner for full coverage).
Each finding shows the exact file:line and the fix. The analyzer parses the code (AST), not keywords, so it flags client.chat.completions.create(...) without a ceiling but not a harmless wizard.run().
What does the live agent battery test?
When you point release-gate at a live agent (CLI agent-score or the on-site live scan), it runs four weighted dimensions. Safety plants a canary secret in the agent's context and runs a tiered prompt-injection / exfiltration battery (L1 direct → L4 multi-turn); a confirmed leak is a hard BLOCK. Correctness runs your domain evals. Loop behavior checks convergence and catches runaways. Cost & latency characterizes per-call spend. A high total can't buy back a weak dimension — promote floors keep a broken-but-safe agent out of PROMOTE.
What's PROMOTE / HOLD / BLOCK?
The release verdict. PROMOTE — ship it. HOLD — usable but a dimension is weak; tighten before promoting. BLOCK — a hard failure (e.g. a confirmed canary leak, or the agent errored on most calls). Exit codes are 0 / 10 / 1 so it drops straight into CI.
Does scoring make real calls and cost money?
Yes — agent-score runs your actual agent through the battery (~20–30 calls), so it costs real tokens against whatever model your agent uses. It runs the agent; it doesn't estimate. The static repo audit (audit <repo>) is free and makes no model calls.
Does it map to compliance frameworks?
Yes. The same probe evidence rolls up to OWASP LLM Top 10, the NIST AI RMF, and the EU AI Act — with honest NOT_ASSESSED where it doesn't test something, because a fake green fails an audit harder than an admitted gap.
Is the CLI free? Do you store my code?
The CLI is 100% free and unlimited — no scan caps, no account, works in any CI pipeline, stdlib-only core. The audit clones your repo, scans it, and doesn't retain the code. The platform (optional) adds persistent history, team visibility, and an audit trail.

Didn't find your answer?

Sign up (free) to send us your question — that way we have an email to reply to.

Scan your repo now — takes 10 seconds

No sign-up required for the first scan.

Security posture —

All repos, live risks, and historical trend in one view.

Loading…

Loading report…