Open Source · MIT License

Pocolente QA

The calm, deliberate pause between code written and code deployed.

Get Started View on GitHub

Festina Lente

Make haste slowly.

Pocolente QA is an open-source CI/CD quality gate that scans pull requests for correctness, security, and energy efficiency. It runs as a GitHub Action or standalone CLI and blocks merge until your standards are met. It is the deliberate pause that catches what speed missed — without slowing you down.

Three pillars of quality

Security

Catch vulnerabilities, leaked secrets, and insecure patterns before they reach production.

  • Secrets Scanner — keys, tokens, PEM files, high-entropy strings
  • OWASP Patterns — SQLi, XSS, SSRF, path traversal (CWE-mapped)
  • Supply Chain — typosquatting, OSV vulnerabilities, lockfile analysis
  • Permissions — K8s RBAC wildcards, Docker root containers

Correctness

Detect bugs, regressions, and low-quality AI-generated code patterns automatically.

  • Generation Quality — empty catch blocks, console leaks, orphan TODOs
  • Dead Code — unused imports, unreachable code after return/throw
  • Behavioral Drift — removed exports, changed signatures, breaking APIs
  • Coverage Delta — test coverage decrease with configurable thresholds

GreenOps

The differentiator. No other CI tool scans for energy efficiency in your pull requests.

  • Complexity — nested loops, N+1 queries, quadratic concatenation
  • Resource — sync I/O in async, unbounded array growth
  • Infra Bloat — fat Docker images, missing K8s limits, :latest tags
  • Runtime Profiler — CPU, memory, wall-clock, SCI score estimation

Up and running in seconds

# Run without installing npx @pocolente/cli scan # Or install globally npm install -g @pocolente/cli pocolente init pocolente scan
# .github/workflows/pocolente.yml name: Pocolente QA on: pull_request: branches: [main] jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: pocolente-dev/pocolente-qa@v1

Scanner reference

12 scanners across three pillars, each with CWE mappings and fix suggestions.

Scanner Pillar What it catches CWE
Secrets Security AWS keys, GitHub tokens, PEM files, JWTs, database URLs, high-entropy strings CWE-798
OWASP Patterns Security SQL injection, XSS, path traversal, SSRF, insecure deserialization CWE-89, 79, 22
Supply Chain Security Typosquatting, OSV vulnerabilities, lockfile integrity CWE-1357
Permissions Security K8s RBAC wildcards, Docker root containers, broad CORS CWE-250
Generation Quality Correctness Empty catch blocks, console statements, unlinked TODOs CWE-390
Dead Code Correctness Unused imports, unreachable code after return/throw CWE-561
Behavioral Drift Correctness Removed exports, changed signatures, breaking API changes CWE-440
Coverage Delta Correctness Test coverage decrease, untested new code paths
Complexity GreenOps Nested loops O(n²), N+1 queries, quadratic string concat CWE-407
Resource GreenOps Sync I/O in async, unbounded array growth, missing cleanup CWE-400
Infra Bloat GreenOps Fat Docker images, missing K8s resource limits, :latest tags
Runtime Profiler GreenOps CPU time, peak memory, wall-clock, SCI score estimation