Star on GitHub

Quality gates for
AI-generated code.

Tribunal enforces TDD, catches leaked secrets, and runs linting on every AI coding session. Works in CI/CD, pre-commit hooks, and agent hook systems.

Python CLI · GitHub Action · pre-commit · SARIF output · MIT License

Why Tribunal

Everything you need to ship safe AI code

🔐

Secret Scanning

14 regex patterns detect AWS keys, GitHub tokens, private keys, database URLs, JWTs, and more. Supports .secretsignore for project-specific exclusions.

🧪

TDD Enforcement

Checks that every source file has a corresponding test file. Supports Python, TypeScript, and Go with dependency graph analysis.

🐍

Python Linting

Integrates ruff, basedpyright, and mypy. Reports lint errors and type issues as structured findings with line numbers.

📘

TypeScript Checks

Runs eslint and tsc for TypeScript and JavaScript files. Finds project-local tools in node_modules automatically.

🔷

Go Analysis

Runs go vet and golangci-lint. Catches issues before they reach production with structured error reporting.

📊

SARIF Output

Full SARIF 2.1.0 support — upload results to GitHub Code Scanning, VS Code SARIF Viewer, or any compatible tool.

GitHub Action

Drop-in composite action with automatic SARIF upload. One YAML file to add quality gates to any pull request.

🪝

pre-commit Hook

Native pre-commit support with two hooks: full quality scan and secrets-only mode. Catches issues before they enter git.

📋

Audit Trail

JSONL audit logging with automatic rotation. Every tool call, every verdict — full traceability for compliance.

📦

Rule Packs

Pre-built packs: SOC 2, Startup, Enterprise, Security. Install with one command, merge with existing project rules.

🛡️

Fail-Closed Gate

Blocks on errors by default — never fails silently. Atomic I/O with file locking prevents concurrent session corruption.

🤖

Agent Agnostic

Works with any AI coding agent — Claude Code, Copilot, Cursor, Aider, or custom tools. Not locked to any provider.

How It Works

Three steps to disciplined code

01

Install

One command to add quality gates to your project.

pip install tribunal && tribunal init
02

Check

Run checkers on your codebase — secrets, TDD, linting — with SARIF output for CI/CD.

$ tribunal ci src/ ⚖ Tribunal CI — 42 file(s) checked ⛔ src/config.py:12 Possible secret: aws-access-key [secrets/aws-access-key] ⚠️ src/handler.py No test file found. Expected test_handler.py [tdd/missing-test-python] ✗ 1 error(s), 1 warning(s)
03

Ship

Add to GitHub Actions, pre-commit, or agent hooks. Nothing ships without passing the gate.

# .github/workflows/tribunal.yml name: Tribunal CI on: [pull_request] jobs: tribunal: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: thebotclub/tribunal@v2

Multiple Outputs

Your pipeline. Your format.

Output results as text, JSON, or SARIF — compatible with GitHub Code Scanning, VS Code, and any CI system.

tribunal — output formats
Text output (default)
$tribunal ci src/

SARIF for GitHub Code Scanning
$tribunal ci src/ --format sarif -o results.sarif

JSON for custom integrations
$tribunal ci src/ --format json

Run specific checkers only
$tribunal ci --checkers secrets,tdd

pre-commit hook
─────────────────────────────
repos:
- repo: https://github.com/thebotclub/tribunal
rev: v2.0.0
hooks:
- id: tribunal-ci

✓ Works with any CI system, any AI coding agent

Privacy & Transparency

No hidden phone-homes.

Tribunal itself sends zero telemetry. All network traffic comes from Anthropic's Claude Code CLI — and you can disable the optional parts with one variable.

🔒

Disable all non-essential traffic

export CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1

Add to your shell profile. Only essential API calls to Claude remain.

Essential (required for Claude to work)

api.anthropic.comClaude API (prompts & responses)
cannot disable
api.anthropic.comOAuth authentication
cannot disable

Optional (disabled with env var above)

api.anthropic.com/event_loggingAnonymized usage events
disableable
datadoghq.comOperational metrics (no code/prompts)
disableable
GrowthBook SDKFeature flags & experiments
disableable
VariousAuto-updates, settings sync, model metadata
disableable

Tribunal's own network usage: none

Tribunal operates entirely locally. No phone-home, no telemetry, no analytics, no update checks. Everything flagged by security scanners originates from Anthropic's upstream Claude Code CLI — the same code that runs when you install @anthropic-ai/claude-code from npm.

Full details in PRIVACY.md

Get Started

Install in seconds

Choose your preferred installation method

$ pip install tribunal

Requires Python 3.10+