GatekeeperAI/README.md at main · jacobthomasmichael/GatekeeperAI · GitHub

//blob/show" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

//blob/show;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

jacobthomasmichael

GatekeeperAI

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star

FilesExpand file tree

main

/README.md

Copy path

Blame<br>More file actions

Blame<br>More file actions

Latest commit

History<br>History<br>History

78 lines (55 loc) · 3.36 KB

main

/README.md

Top

File metadata and controls<br>Preview

Code

Blame

78 lines (55 loc) · 3.36 KB

Raw<br>Copy raw file<br>Download raw file

OutlineEdit and raw actions

GatekeeperAI

GatekeeperAI is an on-premises platform that lets enterprise teams safely adopt third-party and internal AI applications. Every app goes through automated security scanning, human approval, and sandboxed container deployment before any user can access it.

How it works

Submit — A developer pushes their app's code to the GatekeeperAI git server.

Scan — The platform automatically runs five scanners: secrets detection, dependency vulnerability audit, egress network analysis, PII exposure check, and an LLM-powered code review via Claude AI.

Review — A designated approver reviews the scan results and approves or rejects the app, with an SLA deadline tracked automatically.

Deploy — Approved apps are built into Docker containers and launched in an isolated environment, accessible via a public URL.

Manage — Runtime secrets (API keys, credentials) are injected as environment variables at deploy time, never stored in the code.

Key features

Automated multi-scanner pipeline — secrets, CVEs, egress rules, PII, and LLM code review run in parallel on every push

Risk tiering — apps are automatically scored and assigned a risk tier (low / medium / high / critical) that determines review urgency

SLA enforcement — overdue approvals are flagged and escalators are notified via email

Encrypted secret injection — per-app secrets are AES-256 encrypted at rest and injected at container startup

Audit log — every action (approval, deployment, secret change) is recorded with actor, IP, and timestamp

Admin panel — user management (create, disable, change roles), audit log viewer, platform-wide metrics

Setup wizard — first-run wizard configures the instance with no config-file editing required

Secure by default — JWT with refresh token rotation, rate limiting on all endpoints, security headers (CSP, HSTS, etc.), non-root containers

Tech stack

Layer<br>Technology

Backend API<br>FastAPI + SQLAlchemy 2.0 async + PostgreSQL 16

Task queue<br>Celery + Redis

Container runtime<br>Docker SDK (Python)

LLM<br>Anthropic Claude API

Frontend<br>Next.js 16 (App Router) + Tailwind CSS

Auth<br>JWT (access + refresh) with Redis-backed JTI rotation

Getting started

See INSTALL.md for full setup instructions, including local installation, AWS/Azure/GCP cloud hosting, and custom domain with SSL.

Quick start (requires Docker):

cp .env.example .env<br># Fill in SECRET_KEY, SECRET_ENCRYPTION_KEY, and ANTHROPIC_API_KEY in .env<br>docker compose -f infra/docker-compose.yml up --build

Then open http://localhost:3000 and follow the setup wizard.

Project structure

backend/ FastAPI application, scanners, Celery workers, Alembic migrations<br>frontend/ Next.js web application<br>infra/ Docker Compose configuration<br>worker/ Celery task definitions (deploy, SLA checks)

User roles

Role<br>Can do

ic (individual contributor)<br>Submit apps, view own apps and scan results

approver<br>Everything an IC can do, plus review and decide on pending approvals, view all deployments

admin<br>Everything an approver can do, plus manage users, stop/start deployments, view audit logs

New users are created by an admin — there is no public self-registration.

You can’t perform that action at this time.