FAQ

FAQ

General

Is Gate really free?

Yes. Gate is Apache 2.0 licensed (with patent protection), runs 100% locally, and has no paid tiers, no telemetry, and no accounts. It never phones home.

How does Gate compare to Gitleaks / TruffleHog?

Gate is the only free tool that auto-fixes findings, provides interactive remediation, generates compliance reports, and includes incident response workflows. See the comparison table in the README.

What Node.js version do I need?

Node.js 18 or higher.

Does Gate work on Windows?

Gate works on macOS, Linux, and Windows (with Git Bash or WSL). The git hooks require a POSIX-compatible shell.

Detection

I'm getting false positives. How do I suppress them?

Three options:

1. Inline: Add // gate-ignore comment on the line
2. File-level: Add the path to .gateignore
3. Rule-scoped: Add [rule:rule-id] path/pattern to .gateignore

How do I lower the sensitivity for entropy detection?

Increase the threshold in .gaterc:

entropy_threshold: 5.0   # Default is 4.8

Can I add custom detection rules?

Yes. Add rules to your .gaterc file with a regex pattern, severity, and remediation text. See Configuration.

Why did Gate detect my test fixtures?

Gate scans all files unless told to skip them. Add test fixture directories to .gateignore:

test/fixtures/**
*.test.js

Hooks

How do I skip the pre-commit hook temporarily?

GATE_SKIP=1 git commit -m "message"

The hook blocked my commit but the secret is intentional. What do I do?

Add the specific rule and file to .gateignore:

[rule:high-entropy-string] src/crypto/test-vectors.js

Gate says "not found" when I commit. What happened?

If Node.js is not in PATH when the hook runs, Gate exits with an error. Set GATE_NODE_PATH to your Node binary, or set GATE_ALLOW_MISSING=1 to bypass (not recommended).

Does Gate support Husky or lint-staged?

Yes. Gate checks git config core.hooksPath and installs hooks in the correct directory. If you use Husky, Gate installs alongside it.

Auto-Fix

Will gate fix break my code?

Gate creates a snapshot before fixing. If something goes wrong, run gate fix --undo to restore. Always review changes before committing. Use gate fix --dry-run to preview.

What if the same secret is in multiple files?

Gate fixes each occurrence. The .env variable is written once and referenced everywhere.

Does auto-fix work with monorepos?

Yes. Gate scans from the repository root and creates a single .env file. For monorepos with multiple .env files, use gate fix --interactive to control placement.

Security

Is the vault encryption production-grade?

The vault uses AES-256-GCM with NIST-recommended 12-byte IVs and authenticated encryption. The key is a 256-bit random key stored with 0600 permissions. This is suitable for local development secrets. For production secrets management, use a dedicated solution like HashiCorp Vault, AWS Secrets Manager, or similar.

Can someone tamper with the detection rules?

The rules.json file has an HMAC-SHA256 signature verified at runtime. The default signing key is derived from public package metadata (integrity detection, not tamper-proof). For production deployments, set FORTRESS_SIGNING_KEY to a secret value.

Does Gate send my secrets anywhere?

No. Gate runs 100% locally. The --verify flag makes read-only API calls directly from your machine to provider endpoints (AWS, GitHub, Stripe, etc.) -- no data passes through Gate servers.