For DevOps & security

Your CI/CD is vulnerable to patch-level attacks. PatchGate closes the gap.

Malicious actors don't target major versions—they target patches. They're fast, they're common, and they're rarely audited. PatchGate detects suspicious publisher behavior and anomalous patch patterns in milliseconds, blocking risky updates before they're installed.

Designed by security engineers catches zero-day supply chain attacks no false positives by design Early access
Join the beta

Your CI/CD is vulnerable to patch-level attacks. PatchGate closes the gap.

Malicious actors don't target major versions—they target patches. They're fast, they're common, and they're rarely audited. PatchGate detects suspicious publisher behavior and anomalous patch patterns in milliseconds, blocking risky updates before they're installed.

Join the beta

The patch-level attack surface

A compromised npm maintainer publishes a patch at 2 AM UTC. Within 6 hours, it's in 10,000 CI/CD pipelines. Your security team never sees it coming because patches aren't treated like major releases—they're treated like routine maintenance.

PatchGate changes that. We monitor every patch publish event, analyze publisher behavior against historical baselines, and flag anomalies before your pipeline touches them.

What we detect

Unexpected publisher changes

New maintainer? Unusual IP? We flag deviations from historical patterns.

Timing anomalies

Publishes outside normal windows, rapid release cycles, or coordinated multi-package drops.

File-level anomalies

Unexpected binary files, credential-harvesting patterns, or exfiltration signatures in patch code.

Registry provenance

Cross-reference publisher reputation, dependency relationships, and known attack patterns.

How it integrates

PatchGate sits between your registry and your CI/CD. When a patch is published, we analyze it. When your pipeline requests a dependency update, we gate it—block, flag, or allow based on your policies.

GitHub Actions

Native integration. Gate patches in your workflow. Auto-remediate or notify on risk.

npm & PyPI

Monitor public registries. Private registries supported on Growth tier.

Custom policies

Define risk thresholds, allowed publishers, and enforcement rules. Sync across all repos.

Audit logs

Every gate decision is logged. Full visibility for compliance and incident response.

Built for scale

If you're running 10,000+ dependency updates per week, you can't afford to miss a malicious patch. PatchGate is designed for high-velocity teams: sub-100ms decision latency, behavioral models that update automatically, and policies that scale across your entire dependency tree.

Pricing

Starter: 5 repositories, 100K pipeline executions/month, standard threat detection. Growth: 50 repositories, 1M executions, custom policies, threat intelligence feeds. Enterprise: Unlimited, dedicated support, custom rules, advanced threat feeds. Compare plans

Is this a replacement for SBOM or provenance tools?

No. SBOM and provenance tools are essential for compliance. PatchGate is orthogonal—we detect zero-day supply chain attacks by analyzing publisher behavior and patch anomalies in real-time. Use both.

What about false positives?

False positives kill adoption. We're designing PatchGate to be precise: we only flag patches when behavioral anomalies align with known attack patterns. Legitimate maintainers publishing at odd hours won't trigger blocks—but a new publisher publishing 500 files at 3 AM will.

How do I set up PatchGate?

We're targeting sub-30-minute setup for GitHub Actions integration. Connect your GitHub org, select repositories, choose a policy template, and deploy. Custom policies require Growth tier.

What happens if a patch is flagged?

You decide. Block it, flag it in Slack, require approval, or auto-remediate to the previous version. All actions are logged and auditable.