vulkro gate
The canonical fail-on-new-only CI gate. vulkro gate scans the working
tree AND a baseline git ref, then surfaces only the findings present in
the working tree but not the baseline. Exit code 1 fires ONLY on new
findings, so the gate never blocks a PR on pre-existing technical debt.
gate vs scan --gate-vs
Both keep pre-existing debt from failing a PR, but they compare differently:
vulkro gate --base <ref>compares the full finding sets across both trees. It catches a new caller that makes an existing sink reachable, because that finding is present in the working tree and absent in the baseline.vulkro scan --gate-vs <ref>filters by changed-line ranges only. It is cheaper, but blind to new findings whose offending line did not itself change (for example a newly added call path into unchanged code).
Use gate for the thorough two-tree comparison; use scan --gate-vs when
you want the fast changed-lines lane.
Usage
vulkro gate --base origin/main
| Argument | Description | Default |
|---|---|---|
PATH | Path to the project root. | . |
Flags
| Flag | Description |
|---|---|
--base <REF> | Git ref to compare against (for example main, origin/main, a SHA). Required unless VULKRO_GATE_BASE is set. |
--format <FORMAT> | table (default), json, or sarif. JSON includes totals plus the new-findings array; SARIF ships only the new findings (pre-existing findings are deliberately suppressed because they were already in the base ref). |
Environment variables
| Variable | Effect |
|---|---|
VULKRO_GATE_BASE | Default base ref, overridden by --base. Set it once in a CI lane that always compares against origin/main. |
Exit codes
0no new findings vs the baseline.1one or more new findings (the gate is the report).2error: bad ref, git not available, or scan failure.
CI snippets
GitHub Actions:
.github/workflows/gate.yml
- uses: actions/checkout@v4
with:
fetch-depth: 0 # gate needs the base ref in history
- run: curl -fsSL https://dist.vulkro.com/install.sh | bash
- name: Block PR on new findings only
run: vulkro gate --base origin/${{ github.base_ref }}
GitLab CI:
.gitlab-ci.yml
vulkro-gate:
stage: test
script:
- curl -fsSL https://dist.vulkro.com/install.sh | bash
- vulkro gate --base "origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME"
Related
vulkro scan- the full pipeline and the--gate-vslane.vulkro init- install a pre-commit gate hook.- CI/CD integration - exit codes and pipelines.