Our Setup
Last updated: June 5, 2026
We get asked "OK but what scanners do yourun?" often enough that the answer is worth a page. Here it is — the deterministic stack that runs on every PR + main push to our public repos, nark and nark-corpus, and to our internal SaaS app on every commit.
By layer
Five gates, each catching a different class of bug. None of them overlap with the others; all of them are deterministic (same input → same output) and free for our open-source paths.
| Layer | What it blocks | Tools |
|---|---|---|
| Pre-commit | Format, obvious junk | prettier --check, eslint --quiet |
| Pre-push | Integration bugs | tsc --noEmit, vitest --changed, pnpm test:web |
| Pre-merge (CI) | Regressions, security, supply-chain | nark, semgrep, npm audit, gitleaks, vitest, playwright, codecov |
| Pre-deploy | Build-output sanity | next build, preview deploys |
| Post-deploy | Production breakage | Sentry, /api/telemetry/scan, alerting |
What each tool uniquely answers
Every tool in this list is the answer to a question the others can't. If a tool answers a question another tool already answers, we drop it.
| Tool | The question it answers |
|---|---|
| nark | Are every npm package's documented error paths handled? |
| semgrep | Any SQL injection / hardcoded secrets / OWASP antipatterns? |
| npm audit | Any known-vulnerable transitive deps in the lockfile? |
| gitleaks | Are any credentials in the git history? |
| tsc | Are the types correct? |
| eslint | Code style + obvious bugs the type system misses? |
| prettier | Format consistent across the repo? |
| vitest | Do the units we wrote actually work? |
| playwright | Do the user flows work end-to-end? |
| codecov | Did this PR drop test coverage? |
Where nark fits
Most tools in this list check style, complexity, logic, or supply-chain hygiene. Only nark checks completeness:
- Did you handle every error case the package documentation says you need to?
- Did you follow every documented safety rule for
stripe.charges.create? Foraxios.get? For 167 others?
That's a new category. The other tools answer "is this code well-formed?"; nark answers "does this code cover what the packages it uses can throw at it?"
CI receipts
Our public repos run the above on every PR via GitHub Actions. Anyone can inspect the workflows:
- nark (ci.yml) — typecheck, format:check, test, build
- nark-corpus (ci.yml) — validate every contract YAML against the schema
What we're not running (and why)
- CodeQL— overlaps with semgrep's OSS ruleset for our stack; we'd add it if we needed GitHub Advanced Security's language-specific deep queries.
- Snyk / Socket.dev — overlap with npm audit for free; we'd revisit if the paid tier's supply-chain reputation scoring (not just CVE matching) matters.
- Dependabot— configured to auto-PR security updates only; we've opted out of the noisier daily version bumps until we have the bandwidth to review them.
Want this for your repo?
Most of this is one-time setup — wire the GitHub Actions, commit the configs, done. The exception is nark, which is ongoing: the corpus updates as packages evolve, and you get the scanner's improvements via nark@latest on every CI run.