GitHub Actions · 29 Gate Types · Fail-Closed by Default
AI agents now write your code AND your tests — and they optimize for the metrics they can see. An LLM told to "reach 80% coverage" will generate hollow tests that hit 80.1% while proving nothing. Evidence Gate hides the criteria entirely with Blind Gates, making metric gaming structurally impossible.
# Add quality gates in 3 lines - uses: evidence-gate/evidence-gate-action@v1 with: gate_type: "test_coverage" phase_id: "testing" evidence_files: "coverage.json"
Three steps to enforced quality in every pull request
Add Evidence Gate to your workflow YAML. Specify gate types, evidence files, and thresholds.
Gates automatically verify your evidence files — existence, schema, thresholds, and integrity.
Fail-closed: pipelines stop on quality violations. Results appear in PR summary and workflow annotations.
When an LLM writes your code AND your tests, every visible threshold becomes a target to optimize against — not a quality standard to meet
The problem: Traditional CI gates publish their thresholds in workflow YAML. An AI coding agent (Copilot, Cursor, Devin, etc.) instructed to "pass CI" can read these thresholds and generate minimal tests that hit exactly 80.1% coverage — satisfying the metric while proving nothing about quality.
The solution: Blind Gates evaluate evidence server-side against criteria that are never exposed to the pipeline, the repository, or the AI agent. The LLM that generated the code cannot see, reverse-engineer, or optimize against the pass/fail threshold. Quality must be genuine.
How it works: Your pipeline submits evidence files. The Evidence Gate API evaluates them against private criteria configured by your team. The pipeline — and the AI agent driving it — only receives pass or fail. Never the criteria themselves.
Evidence Gate's design aligns with Japan's AI Business Operator Guidelines
All gates default to FAIL. Only explicitly verified evidence earns a PASS. Supports the guideline's emphasis on safety and risk prevention.
Genchi Genbutsu Trust Levels (L1–L4) make evidence reliability explicit. SHA-256 Evidence Chain enables integrity verification of all judgment data.
AWS KMS encryption (FIPS 140-2 validated), HMAC-signed cursors, and a maturity-level-based Quality State Model provide auditable governance at every step.
Evidence Gate supports practices aligned with key principles including transparency, safety, and accountability. Learn more about our approach →
This product is not endorsed by or affiliated with any government body. Feature descriptions are for informational purposes only and do not constitute compliance certification.
Three layers of protection — from CI validation to runtime controls
Build-time quality gates — validates blueprints, policies, SBOM, and provenance before deploy
Validates NVIDIA NemoClaw blueprint.yaml and OpenShell sandbox policies before deployment
Runtime cost controls, budget enforcement, and network governance for AI agent operations
29 gate types including NemoClaw blueprint and policy validation. Fail-closed, tamper-proof CI gates.
View on GitHub →CLI and Python library for NVIDIA NemoClaw configuration validation. pip install nemoclaw-governance
Cost-aware governance proxy for AI agents. Budget enforcement, hold/settle billing, streaming controls.
View on GitHub →Why three layers? NemoClaw provides sandbox isolation but has zero cost controls. agentgov adds runtime budget enforcement. Evidence Gate validates everything at CI time — before code reaches production.
Start free, upgrade when your team needs advanced features
| Feature | Free ($0/mo) | Pro (Contact) | Enterprise (Contact us) |
|---|---|---|---|
| Evaluations/month | 100 | 5,000 | Unlimited |
| API calls/month | 1,000 | 50,000 | Unlimited |
| All 29 gate types | ✓ | ✓ | ✓ |
| SARIF output | ✓ | ✓ | ✓ |
| GitHub Check Runs | ✓ | ✓ | ✓ |
| SHA-256 integrity hashing | ✓ | ✓ | ✓ |
| Fail-closed error handling | ✓ | ✓ | ✓ |
| Three enforcement modes (warn / observe / enforce) | ✓ | ✓ | ✓ |
| Config file (.evidencegate.yml) — zero required inputs | ✓ | ✓ | ✓ |
| SBOM gate (CycloneDX/SPDX structural validation) | ✓ | ✓ | ✓ |
| Provenance gate (SLSA build attestation) | ✓ | ✓ | ✓ |
| NemoClaw gates (blueprint + policy validation) | ✓ | ✓ | ✓ |
| Signal-sorted Job Summary (Critical > Warning > Info) | ✓ | ✓ | ✓ |
| AI agent repair contract (retry_prompt output) | ✓ | ✓ | ✓ |
| Gate presets | ✓ | ✓ | ✓ |
| Sticky PR comments | ✓ | ✓ | ✓ |
| Blind Gate evaluation | — | ✓ | ✓ |
| Evidence chain verification (L4) | — | ✓ | ✓ |
| Quality State tracking | — | ✓ | ✓ |
| Remediation workflows | — | ✓ | ✓ |
| Missing evidence + suggested actions | — | ✓ | ✓ |
| Self-hosted deployment | — | — | ✓ |
| Custom API base URL | — | — | ✓ |
| Dedicated support | — | — | ✓ |
| Get Started Free | Start Pro Trial | Contact Sales |
Add quality gates to your GitHub Actions workflow in three simple steps
Visit the Evidence Gate Marketplace page and click "Use latest version" to add the action to your repository.
Add the Evidence Gate step to your GitHub Actions workflow file:
name: Quality Gate on: [pull_request] permissions: contents: read checks: write jobs: evaluate: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 # Your build & test steps here... - name: Evidence Gate uses: evidence-gate/evidence-gate-action@v1 with: # Or use .evidencegate.yml config file for zero required inputs gate_type: "test_coverage" phase_id: "testing" evidence_files: "coverage.json"
Evidence Gate writes a detailed summary to GITHUB_STEP_SUMMARY, visible directly in your pull request's workflow run. Gate pass/fail results, evidence hashes, and threshold evaluations appear automatically — no configuration needed.