Skip to content

Lintel

The shield your commits pass through.

A single-binary, shift-left security orchestrator that runs as a Git hook and in CI. One declarative spec file, zero runtime dependencies, and the best-in-class OSS scanners you already trust.

Get started in 5 minutes View on GitHub

Why Lintel

Most teams want shift-left security - secrets, SAST, SCA, lint, format - on every commit. The existing landscape forces a choice.

Husky + lint-staged + N tools, each with its own config. Brittle, drifts between repos, breaks when anyone upgrades anything.

Expensive, opaque, and almost always a black box running rules you can't audit.

One Go binary that coordinates the scanners you choose, driven by one YAML file, with a tight CLI and strong supply-chain hygiene built in.

Feature highlights

  • Single static binary

    Linux, macOS, Windows on amd64 and arm64. No runtime dependencies. Download, put on $PATH, go.

  • Declarative config

    One lintel.yaml describes stacks, scanners, gates, and ignores. Checked in, versioned, reviewed like any other code.

  • Supply-chain hygiene

    Scanner binaries are resolved and verified against pinned SHA256 hashes on every invocation. No hash, no run.

  • Git-hook native

    lintel install manages pre-commit and pre-push hooks without clobbering foreign ones. Uninstall is clean.

  • Fast by default

    Parallel execution per scanner with per-check and total timeouts. Only staged files are scanned on pre-commit.

  • Deterministic output

    Pretty or JSON. Sorted, stable, and CI-friendly. SARIF and JUnit on the roadmap for v1.1.

What's next