controlgate 0.2.0

NIST RMF Cloud Security Hardening — Pre-Commit & Pre-Merge Compliance Gate

🛡️ ControlGate

NIST RMF & FedRAMP Cloud Security Hardening — Pre-Commit & Pre-Merge Compliance Gate

ControlGate is an AI-powered agent skill that scans your code changes against the NIST SP 800-53 Rev. 5 (and FedRAMP) security framework before every commit and merge. It maps findings directly to specific NIST control IDs, providing traceable compliance evidence and actionable remediation guidance.

Quick Start

# Install
pip install controlgate

# Bootstrap project (creates .controlgate.yml, pre-commit hook, CI workflows)
controlgate init

# Full repo audit (first-time scan)
controlgate scan --mode full --format markdown

# Scan staged changes (NIST baseline)
controlgate scan --mode pre-commit --format markdown

# Scan staged changes (FedRAMP baseline)
controlgate scan --gov --baseline moderate --mode pre-commit --format markdown

# Scan PR diff against main
controlgate scan --mode pr --target-branch main --format json markdown

How It Works

Developer writes code
       ↓
git commit / Pull Request
       ↓
ControlGate intercepts the diff
       ↓
18 Security Gates scan against 370 non-negotiable NIST controls
       ↓
Verdict: BLOCK 🚫 / WARN ⚠️ / PASS ✅

The 18 Security Gates

#	Gate	NIST Families	What It Catches
1	🔑 Secrets	IA-5, SC-12, SC-28	Hardcoded creds, API keys, private keys
2	🔒 Crypto	SC-8, SC-13, SC-17	Weak algorithms, missing TLS, ssl_verify=False
3	🛡️ IAM	AC-3, AC-5, AC-6	Wildcard IAM, missing auth, overprivileged roles
4	📦 Supply Chain	SR-3, SR-11, SA-10	Unpinned deps, missing lockfiles, build tampering
5	🏗️ IaC	CM-2, CM-6, SC-7	Public buckets, 0.0.0.0/0 rules, root containers
6	✅ Input Validation	SI-10, SI-11	SQL injection, eval(), exposed stack traces
7	📋 Audit	AU-2, AU-3, AU-12	Missing security logging, PII in logs
8	🔄 Change Control	CM-3, CM-4, CM-5	Unauthorized config changes, missing CODEOWNERS
9	🧩 Dependencies	SA-12, RA-5, SI-2	Vulnerable packages, missing lockfiles
10	🌐 API Security	SC-8, AC-3, SI-10	Unauthenticated endpoints, missing rate limiting
11	🔐 Privacy	AR-2, DM-1, IP-1	PII exposure, missing data classification
12	🔁 Resilience	CP-2, CP-10, SC-5	Missing retry logic, no circuit breakers
13	🚨 Incident Response	IR-2, IR-4, IR-6	Missing error handlers, no alerting integration
14	👁️ Observability	AU-6, SI-4, CA-7	Missing health checks, no structured logging
15	🧠 Memory Safety	SI-16, SA-11, SA-15	Buffer overflows, unsafe memory operations
16	⚖️ License Compliance	SA-4, SR-3	GPL contamination, unlicensed dependencies
17	🤖 AI/ML Security	SA-11, SI-7, AC-3	Untrusted model sources, prompt injection risk
18	🐳 Container Security	CM-6, AC-6, SC-7	Root containers, privileged mode, latest tags

Installation

From PyPI

pip install controlgate

View ControlGate on PyPI

As a Pre-Commit Hook

# .pre-commit-config.yaml
repos:
  - repo: local
    hooks:
      - id: controlgate
        name: ControlGate Security Scan
        # For FedRAMP baselines, add `--gov --baseline moderate` to the entry command
        entry: python -m controlgate scan --mode pre-commit --format markdown
        language: python
        always_run: true

As a GitHub Action

Copy hooks/github_action.yml to .github/workflows/controlgate.yml in your repo.

Configuration

Create a .controlgate.yml in your project root:

baseline: moderate              # low | moderate | high | privacy | li-saas
gov: false                      # set to true to evaluate against FedRAMP baselines

gates:
  secrets:          { enabled: true,  action: block }
  crypto:           { enabled: true,  action: block }
  iam:              { enabled: true,  action: warn  }
  sbom:             { enabled: true,  action: warn  }
  iac:              { enabled: true,  action: block }
  input_validation: { enabled: true,  action: block }
  audit:            { enabled: true,  action: warn  }
  change_control:   { enabled: true,  action: warn  }
  deps:             { enabled: true,  action: warn  }
  api:              { enabled: true,  action: warn  }
  privacy:          { enabled: true,  action: warn  }
  resilience:       { enabled: true,  action: warn  }
  incident:         { enabled: true,  action: warn  }
  observability:    { enabled: true,  action: warn  }
  memsafe:          { enabled: true,  action: warn  }
  license:          { enabled: true,  action: warn  }
  aiml:             { enabled: true,  action: warn  }
  container:        { enabled: true,  action: warn  }

thresholds:
  block_on:   [CRITICAL, HIGH]
  warn_on:    [MEDIUM]
  ignore:     [LOW]

exclusions:
  paths: ["tests/**", "docs/**", "*.md"]

full_scan:
  extensions: [.py, .js, .ts, .go, .tf, .yaml, .yml, .json, .sh]
  skip_dirs: [.git, node_modules, .venv, dist, build]

CLI Usage

# Bootstrap project
controlgate init
controlgate init --baseline high --no-docs

# Scan staged changes (pre-commit mode)
controlgate scan --mode pre-commit --format markdown

# Full repository scan
controlgate scan --mode full --format markdown
controlgate scan --mode full --path ./src --format json

# Scan PR diff
controlgate scan --mode pr --target-branch main --format json markdown sarif

# Scan PR diff explicitly against FedRAMP baselines
controlgate scan --gov --baseline high --mode pr --target-branch main --format json markdown sarif

# Scan a saved diff file
controlgate scan --diff-file path/to/diff --format json

# Output reports to directory
controlgate scan --output-dir .controlgate/reports --format json markdown sarif

# Catalog management
controlgate update-catalog
controlgate catalog-info

Output Formats

Format	Use Case
markdown	PR comments, terminal output
json	Programmatic consumption, dashboards
sarif	GitHub Code Scanning integration

Development

make install-dev    # Install with dev dependencies
make test           # Run tests
make test-cov       # Run tests with coverage
make lint           # Lint with ruff
make format         # Auto-format code
make typecheck      # Type check with mypy
make check          # Run all checks (lint + typecheck + test)
make build          # Build distribution packages

AI Agent Skills

ControlGate provides native skills for popular AI coding assistants. These skills teach the agents how to proactively scan your code for NIST 800-53 R5 compliance and automatically apply remediations.

The agent prompts and workflows are located in the skills/ directory and are published to their respective marketplaces/repositories:

• Antigravity: Full workflow definitions available in skills/antigravity/controlgate/
• Cursor: Repository rules available in skills/cursor/.cursorrules
• Claude Code: System prompt instructions in skills/claude_code/.clauderules
• CodeEx: Integration prompts in skills/codeex/instructions.md

Test Suite

To validate the capabilities of ControlGate, we maintain a standalone test suite at sadayamuthu/controlgate-test-suite. This suite contains intentionally vulnerable projects spanning multiple languages and frameworks, specifically designed to trigger each of the 18 Security Gates. It is automatically executed in the CI pipeline to ensure zero regression in detection capabilities.

Data Source

Powered by the NIST Cloud Security Baseline (NCSB) enriched catalog:

• 1,189 controls across 20 families
• 370 non-negotiable at Moderate baseline
• 247 code-relevant controls mapped to automated scanning rules

License

MIT