Fail the build on the risk that matters.

Set the bar once. Enforce it everywhere.

Developers pass their own flags locally — but the moment a scan is authenticated, your organisation's policy takes over. Any value you set in the org gate overrides the corresponding CLI flag, so a stricter baseline can never be downgraded from a feature branch.

Add the gate to your pipeline

Install the CLI, authenticate once so org policy applies, then run vulnetix scan with the gate flags that fit your risk appetite. Org-level settings override these flags — org policy always wins.

# Install the Vulnetix CLI
curl -fsSL https://cli.vulnetix.com/install.sh | sh

# Authenticate so your org quality gate applies
vulnetix auth login --method apikey \
  --org-id "$VULNETIX_ORG_ID" \
  --secret "$VULNETIX_API_KEY" \
  --store project

# Run the gate (exit 1 fails the build)
vulnetix scan \
  --severity high \
  --block-malware \
  --block-eol \
  --exploits active

The same gate command drops into GitHub Actions, GitLab CI/CD, Bitbucket Pipelines, Azure DevOps, Jenkins, Docker, Podman and Kubernetes — and 24 more across 32 integrations in total.

Every gate control

Combine flags to match your risk appetite — or set the equivalent on your org policy so it applies to every member automatically.

Severity threshold

• --severity high — fail on any vulnerability at or above this severity
• --severity critical — fail on critical findings only

Supply chain

• --block-malware — fail when a known-malicious package is present
• --block-unpinned — fail on dependencies declared with version ranges
• --version-lag <n> — fail when fewer than N newer stable releases exist
• --cooldown <days> — fail on versions published within the last N days

End-of-life

• --block-eol — fail when an unsupported, end-of-life dependency is present

Exploit maturity

• --exploits active — fail on actively exploited vulns (includes CISA KEV)
• --exploits weaponized — fail on weaponised, in-the-wild exploits
• --exploits poc — fail when any public proof-of-concept exists

SCA autofix

• --sca-autofix-strategy stable — choose latest / safest / stable upgrade targets
• --sca-autofix-max-major-bump <n> — cap how many major versions autofix may cross

One scan, six lenses

The gate evaluates findings from every scan type the Vulnetix code scanner produces — no extra tools, no extra passes.

Full scanner tour →

Built on OPA & Rego

Every rule the gate evaluates is an Open Policy Agent (Rego) module. Built-in SAST, secrets, IaC and container rules ship with the CLI, and you load your own with a single flag — no plugins, no proprietary DSL, just portable policy you can read, fork and version.

• Load external packs: vulnetix scan --rule org/repo
• Scope-isolated — a container pack never bleeds into secrets rules
• CWE / CAPEC / ATT&CK mapped, SARIF 2.1.0 output

Browse the Rules Registry →

Stop credentials before they ship

1,092 built-in secret rules catch hardcoded keys, tokens and private keys across source files, binaries and git history — and the gate can fail the build the moment one appears.

Scanned across three surfaces: source files (every text file under 1 MiB), binaries (extracted strings plus EXIF metadata from images) and git history (recursively across commits).

vulnetix secrets --severity high

Secrets scanning deep dive →

11 rulesets. 3,861 rules. One flag.

Load any community or official ruleset into the gate with vulnetix scan --rule org/repo. Filter by language, category and severity in the live registry.

Open the Rules Registry →

Runs in every pipeline you already use

The same gate command drops into 32 CI/CD platforms and runtimes. Find your platform's step-by-step guide in the integrations directory.

Turn on the gate today

Install the CLI, set your org policy, and every scan — local, agent or CI — enforces the same bar.

curl -fsSL https://cli.vulnetix.com/install.sh | sh

Configure your gate →