Gadriel Code
A local-first code-security scanner that finds and fixes vulnerabilities before you commit — your code never leaves your machine.
Gadriel Code is the code-security scanner in the Gadriel toolchain. It runs entirely on your laptop or your CI runner, catches security problems at the moment you write them, and hands the confirmed issues to your AI coding assistant for remediation — all before a single line is committed. We call this remediation before commit.
Unlike SaaS scanners (Snyk, Semgrep Cloud, GitHub Advanced Security, SonarCloud), Gadriel uploads nothing. All scanning, dependency-graph construction, and secret detection happens locally. The only outbound calls are explicitly enumerated and configurable (see Privacy).
Why Gadriel Code
| Differentiator | What it means for you |
|---|---|
| Local-first (privacy) | Code, build artifacts, and graph data stay on your machine. The privacy boundary is a hard, non-negotiable product constraint. |
| Remediation before commit | A pre-commit gate scans only your staged files and blocks a commit when a finding crosses your severity threshold — issues get fixed before they ever land in history. |
| AI-assistant integration | A built-in MCP server (JSON-RPC 2.0 over stdio) lets Claude Code and other assistants read findings and drive fixes. See AI Coding Integration. |
| 6 scan types | SAST, SCA, secrets, config, container, and API — one binary, one command. |
| False-positive prevention | A serious FP-prevention program: confidence tiers, verdict-driven gating, and workspace-aware cross-file taint analysis so you get "review, not panic." See False Positives. |
| Standards-based output | Findings are emitted as an OCSF-aligned envelope; SBOMs ship as SPDX 2.3 + CycloneDX 1.5. |
What it checks
Gadriel Code runs six scan types, auto-detecting which apply to your repository. Scan types that don't apply (no Dockerfile, no lockfile, no OpenAPI spec) are cleanly skipped and reported.
| Scan type | What it finds | Auto-detected from |
|---|---|---|
| SAST | Injection, unsafe sinks, tainted data flows (workspace-aware, cross-file) | Source files (Python, JS/TS, Rust, Go, …) |
| SCA | Vulnerable dependencies (CVEs via the OSV database), license and health issues | Manifests / lockfiles |
| Secrets | API keys, tokens, and credentials in source or full git history | All files (+ --git-history sweep) |
| Config | Insecure configuration and (experimental) Infrastructure-as-Code | Config files, *.tf, K8s/Helm/CloudFormation |
| Container | Image and Dockerfile misconfiguration | Dockerfile / Containerfile |
| API | API-surface security issues | OpenAPI specs |
See Scan Coverage and Languages for the full matrix.
The 8 quality pillars & the scoring math
Every scan rolls its findings up into a weighted score across 8 pillars, using the Gadriel Scoring Model. The overall score (0–10) and a verdict (PASS / PARTIAL / FAIL) tell you at a glance whether the code is ready to commit.
| Pillar | Weight |
|---|---|
| Security | 0.20 |
| Compliance | 0.20 |
| Safety | 0.15 |
| Operational | 0.15 |
| FinOps | 0.10 |
| Coherence | 0.10 |
| Teamwork | 0.05 |
| Bias | 0.05 |
Read more in Scoring & Verdicts.
30-second quickstart
bash# 1. Install (single self-contained binary, distributed via npm)npm install -g gadriel# 2. Authenticate (paste a token from app.gadriel.ai/developers/)gadriel auth login# 3. Scaffold this repo: .security/, git hooks, MCP server, CLAUDE.mdgadriel code init# 4. Scangadriel code scan .# 5. Read the resultsgadriel code findings
A scan ends with a verdict line like:
verdict: PARTIAL · coverage DEGRADED (overall 8.95/10.0)
- PASS / PARTIAL / FAIL — the overall verdict from the pillar scores.
- coverage GREEN / DEGRADED — whether every scan type ran with full data (e.g.
DEGRADEDwhen the OSV CVE database hasn't been synced yet).
Full walkthrough: Quickstart.
Documentation
Getting started
- Installation — install via npm, prerequisites, verifying.
- Authentication —
gadriel auth login, tokens, offline mode. - Quickstart — init → scan → findings → report.
Using the scanner
- CLI Reference — every command and flag.
- Scan Coverage — the 6 scan types in depth.
- Languages — supported languages and ecosystems.
- Configuration —
.gadriel.tomland~/.gadriel/config.toml. - CI/CD Integration — GitHub Actions, GitLab CI, gating policy (Layer 4).
- Upgrades & Migration —
init --upgrade, npm upgrades, store migration.
Language guides
- Python — workspace taint, framework awareness, SCA parsers.
- JavaScript & TypeScript — taint, npm/yarn/pnpm SCA.
- Go — exec/redirect/SQL classes, gosec corroboration.
- C & C++ — the precision engine, provenance demotion, clang-tidy.
Working with AI assistants
- AI Coding Integration — MCP server, Claude Code, and other platforms.
- MCP Tools Reference — per-tool params, returns, and examples.
- Agentic Remediation —
fix, MCP fix loop, autonomous campaigns.
Understanding results
- Scoring & Verdicts — the 8 pillars and the Gadriel Scoring Model.
- Execution Layers — L1 (file-save) → L2 (pre-commit) → L3 (PR) → L4 (CI/CD).
- Tiers — confidence tiers and Tier-2 opt-in analysis.
- False Positives — the FP-prevention program and how to dismiss.
- Reports & Outputs — findings.json, HTML/PDF bundles, the RVF store.
- Examples — a worked-findings gallery per scan type.
Compliance & supply chain
- Compliance — EU AI Act, NIST AI RMF, SOC 2, HIPAA, PCI-DSS, OWASP.
- SBOM — SPDX 2.3 + CycloneDX 1.5 export.
- Privacy — the "code never leaves the machine" boundary.
Extending & reference
- Rule Authoring (GVL) — write custom rules and false-positive gates.
- Glossary — every term, defined and cross-linked.
Help
- Troubleshooting — common issues and
gadriel doctor.
