Docs
Install the GitHub App and require Shaker Security Gate.
The GitHub App is the recommended self-serve path for repository gates. Install it once, select repositories, map each repo to a DAST or AI Gate target, and let GitHub branch protection require the stable Shaker Security Gate check.
Sample gate decision
Shaker Security Gate failed
A PR against acme/support-bot produced a block decision after the preview API returned cross-tenant RAG evidence. The GitHub check fails with the evidence hash and links back to the Shaker run.
Install the ShakerScan GitHub App for the organization.
Select the repositories that should run release gates.
Map each repository to a DAST target, AI Gate target, or both.
Open or update a pull request with a preview target.
ShakerScan publishes the stable Shaker Security Gate check.
GitHub branch protection requires the check before merge.
ShakerScan returns allow, block, or needs_approval.
Approval or rejection in Shaker updates the GitHub status for review workflows.
Why ShakerScan
The output is a release control, not just a report.
ShakerScan is built around release evidence: a tested target, a policy result, a verifier command, and an approval path when risk needs human review.
One stable required check
Use the aggregate Shaker Security Gate check in branch protection while per-target scan details remain available in Shaker. The optional Branch Rules app applies and verifies branch rules without adding admin permissions to the Security Gate app.
Repo-to-target mapping
Map a GitHub repository to the deployed DAST or AI Gate target that represents the preview or release surface.
Signed gate evidence
Gate results can bind repo, commit, target, environment, policy, probe pack, decision, and evidence hash for verification.
Checklist
GitHub App setup checklist
Install or manage the ShakerScan GitHub App from the dashboard.
Select repositories in GitHub and sync them back into Shaker.
Create a repo gate that maps each repository to the correct DAST or AI Gate target.
Copy the exact required check name: Shaker Security Gate.
Require that check in GitHub branch protection for protected branches.
Optionally install ShakerScan Branch Rules when you want Shaker to apply and verify branch rules without giving admin permissions to the day-to-day Security Gate app.
Keep legacy PAT/webhook setup only for fallback repositories that cannot use the App.
Limitations
What this page does not claim
ShakerScan does not replace human security review, threat modeling, or a scoped penetration test.
AI Gate decisions depend on the configured target, probe pack, policy, scan profile, and available evidence.
Production targets require authorization, safe scope, rate limits, and operational approval.
GitHub itself blocks merges only after branch protection requires the Shaker Security Gate check.
The Security Gate app does not need GitHub administration permissions to run PR gates. Automatic branch-rule setup and verification use the separate optional Branch Rules app.
Live GitHub App installation, repository permissions, and branch-protection behavior must be validated in the customer GitHub organization.
FAQ
Is ShakerScan an AI pentesting replacement?
No. ShakerScan is a verifiable security gate for release workflows. It complements deeper manual testing by producing repeatable runtime evidence and CI-verifiable allow, block, or needs_approval decisions.
Can ShakerScan scan any target?
No. Targets must be owned by the customer or explicitly authorized. Production scans should use safe profiles, rate limits, and defined scope.
Is PAT setup still the primary GitHub path?
No. The GitHub App is the recommended self-serve path. PAT-backed commit statuses remain available only as a legacy or fallback setup.
What check should branch protection require?
Require the stable aggregate check named Shaker Security Gate. Per-target details remain visible in Shaker and in GitHub check output.
Why is there a separate Branch Rules app?
ShakerScan Security Gate publishes PR checks without GitHub administration permissions. ShakerScan Branch Rules is optional and isolated for teams that want Shaker to apply and verify branch rules with repository administration permissions.