GCA · GETTING STARTED

    Overview

    Gadriel Code — a local-first code-security scanner that finds and fixes vulnerabilities before you commit.

    Gadriel Code

    A local-first code-security scanner that finds and fixes vulnerabilities before you commit — your code never leaves your machine.

    Gadriel Code is the code-security scanner in the Gadriel toolchain. It runs entirely on your laptop or your CI runner, catches security problems at the moment you write them, and hands the confirmed issues to your AI coding assistant for remediation — all before a single line is committed. We call this remediation before commit.

    Unlike SaaS scanners (Snyk, Semgrep Cloud, GitHub Advanced Security, SonarCloud), Gadriel uploads nothing. All scanning, dependency-graph construction, and secret detection happens locally. The only outbound calls are explicitly enumerated and configurable (see Privacy).


    Why Gadriel Code

    DifferentiatorWhat it means for you
    Local-first (privacy)Code, build artifacts, and graph data stay on your machine. The privacy boundary is a hard, non-negotiable product constraint.
    Remediation before commitA pre-commit gate scans only your staged files and blocks a commit when a finding crosses your severity threshold — issues get fixed before they ever land in history.
    AI-assistant integrationA built-in MCP server (JSON-RPC 2.0 over stdio) lets Claude Code and other assistants read findings and drive fixes. See AI Coding Integration.
    6 scan typesSAST, SCA, secrets, config, container, and API — one binary, one command.
    False-positive preventionA serious FP-prevention program: confidence tiers, verdict-driven gating, and workspace-aware cross-file taint analysis so you get "review, not panic." See False Positives.
    Standards-based outputFindings are emitted as an OCSF-aligned envelope; SBOMs ship as SPDX 2.3 + CycloneDX 1.5.

    What it checks

    Gadriel Code runs six scan types, auto-detecting which apply to your repository. Scan types that don't apply (no Dockerfile, no lockfile, no OpenAPI spec) are cleanly skipped and reported.

    Scan typeWhat it findsAuto-detected from
    SASTInjection, unsafe sinks, tainted data flows (workspace-aware, cross-file)Source files (Python, JS/TS, Rust, Go, …)
    SCAVulnerable dependencies (CVEs via the OSV database), license and health issuesManifests / lockfiles
    SecretsAPI keys, tokens, and credentials in source or full git historyAll files (+ --git-history sweep)
    ConfigInsecure configuration and (experimental) Infrastructure-as-CodeConfig files, *.tf, K8s/Helm/CloudFormation
    ContainerImage and Dockerfile misconfigurationDockerfile / Containerfile
    APIAPI-surface security issuesOpenAPI specs

    See Scan Coverage and Languages for the full matrix.


    The 8 quality pillars & the scoring math

    Every scan rolls its findings up into a weighted score across 8 pillars, using the Gadriel Scoring Model. The overall score (0–10) and a verdict (PASS / PARTIAL / FAIL) tell you at a glance whether the code is ready to commit.

    PillarWeight
    Security0.20
    Compliance0.20
    Safety0.15
    Operational0.15
    FinOps0.10
    Coherence0.10
    Teamwork0.05
    Bias0.05

    Read more in Scoring & Verdicts.


    30-second quickstart

    # 1. Install (single self-contained binary, distributed via npm)
    npm install -g gadriel
    # 2. Authenticate (paste a token from app.gadriel.ai/developers/)
    gadriel auth login
    # 3. Scaffold this repo: .security/, git hooks, MCP server, CLAUDE.md
    gadriel code init
    # 4. Scan
    gadriel code scan .
    # 5. Read the results
    gadriel code findings

    A scan ends with a verdict line like:

    verdict:  PARTIAL · coverage DEGRADED (overall 8.95/10.0)
    
    • PASS / PARTIAL / FAIL — the overall verdict from the pillar scores.
    • coverage GREEN / DEGRADED — whether every scan type ran with full data (e.g. DEGRADED when the OSV CVE database hasn't been synced yet).

    Full walkthrough: Quickstart.


    Documentation

    Getting started

    Using the scanner

    Language guides

    • Python — workspace taint, framework awareness, SCA parsers.
    • JavaScript & TypeScript — taint, npm/yarn/pnpm SCA.
    • Go — exec/redirect/SQL classes, gosec corroboration.
    • C & C++ — the precision engine, provenance demotion, clang-tidy.

    Working with AI assistants

    Understanding results

    • Scoring & Verdicts — the 8 pillars and the Gadriel Scoring Model.
    • Execution Layers — L1 (file-save) → L2 (pre-commit) → L3 (PR) → L4 (CI/CD).
    • Tiers — confidence tiers and Tier-2 opt-in analysis.
    • False Positives — the FP-prevention program and how to dismiss.
    • Reports & Outputs — findings.json, HTML/PDF bundles, the RVF store.
    • Examples — a worked-findings gallery per scan type.

    Compliance & supply chain

    • Compliance — EU AI Act, NIST AI RMF, SOC 2, HIPAA, PCI-DSS, OWASP.
    • SBOM — SPDX 2.3 + CycloneDX 1.5 export.
    • Privacy — the "code never leaves the machine" boundary.

    Extending & reference

    Help