Keys never leave your machine

Docs // Scroll Gate · GitLab

Gate unsigned agent merges in GitLab CI.

Add ssx360 check to merge request pipelines — hosted verify maps to SLSA L1–2 commit provenance. Keys stay local; only envelope metadata hits SSX360.

Scroll Gate · GitLab CI

Ed25519

commit envelopes

offline-verifiable proof

local-only

CLI & HOOKS

repo never uploaded

Scroll Gate

PR enforcement

signed vs unsigned

SSX360

control plane

identity · billing · audit

Scroll Gate v2GitLab CISDK 0.5.1

Last verified against matrixscroll 0.5.1. Community tier includes 100 hosted verifications per day. Team+ unlocks org audit export.

Copy-paste

GitLab CI pipeline

Runs on every merge request. Fails when signatures are missing, invalid, or post-generation edits break envelope integrity.

yaml · .gitlab-ci.yml
stages:
  - provenance

scroll-gate:
  stage: provenance
  image: python:3.12
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  variables:
    GIT_DEPTH: "0"
    SSX360_API_KEY: $SSX360_API_KEY
  before_script:
    - pip install "matrixscroll==0.5.1"
  script:
    - ssx360 check --hosted --base origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME --head HEAD

One variable

CI/CD variable

Store your SSX360 API key as SSX360_API_KEY — mask and protect the variable; never commit keys to the repo.

bash · gitlab variable
# Project → Settings → CI/CD → Variables
# Mask and protect SSX360_API_KEY
SSX360_API_KEY=sk_live_...   # Community or Team key from ssx360.com/settings

Full spec: SCROLL_GATE_V2.md · SLSA mapping