Gates & maturity
Surety wraps real tools as gates. Each gate carries a maturity label so reviewers know what is enforced, what is advisory, what is experimental, and what is stub. Stubs cannot masquerade as enforced — the label appears in the PR comment and the evidence pack.
Maturity labels
- Enforced — Implementation is real and the result drives policy.
- Advisory — Real implementation; reports without blocking.
- Experimental — Limited coverage, may change. Labeled in evidence.
- Stub — Placeholder. Never returns false pass.
Initial gate set
| Gate | Tool | Initial maturity |
|---|---|---|
| Typecheck | tsc --noEmit (or language-native) | Enforced |
| Tests | Project test runner | Enforced |
| Lint | ESLint / Ruff / language-native | Advisory |
| Secrets | Gitleaks / TruffleHog | Enforced |
| Dependency vulns | OSV-Scanner / npm audit | Enforced |
| SAST | Semgrep | Advisory |
| SBOM | CycloneDX | Enforced |
| License scan | — | Stub |
Gate result shape
Every gate emits a normalized result:
{
"gate_id": "secrets",
"maturity": "enforced",
"status": "pass",
"blocking": false,
"severity": null,
"raw_artifact_id": "art_01HQXY...",
"started_at": "...",
"completed_at": "...",
"duration_ms": 412
}
The raw scanner output is attached to the evidence pack as an artifact, with a content hash. SARIF is preserved natively where the scanner supports it.