# chainctl policy-gate check

URL: https://edu.chainguard.dev/chainguard/chainctl/chainctl-docs/chainctl_policy-gate_check.md
Last Modified: May 22, 2026
Tags: chainctl, Reference, Product

 chainctl policy-gate check Check an image against active policy gates.
Synopsis Evaluate an image against any active policy gates and print the result for each.
Exit status is non-zero if any policy returned DENIED or ERROR, regardless of the policy&rsquo;s mode, so this command is suitable for use in CI.
chainctl policy-gate check IMAGE_REF [flags] Examples # Check an image by tag chainctl policy-gate check cgr.dev/example.com/python:latest # Check an image by digest chainctl policy-gate check cgr.dev/example.com/python@sha256:abc... Options inherited from parent commands --api string The url of the Chainguard platform API. (default &#34;https://console-api.enforce.dev&#34;) --audience string The Chainguard token audience to request. (default &#34;https://console-api.enforce.dev&#34;) --config string A specific chainctl config file. Uses CHAINCTL_CONFIG environment variable if a file is not passed explicitly. --console string The url of the Chainguard platform Console. (default &#34;https://console.chainguard.dev&#34;) --force-color Force color output even when stdout is not a TTY. -h, --help Help for chainctl --issuer string The url of the Chainguard STS endpoint. (default &#34;https://issuer.enforce.dev&#34;) --log-level string Set the log level (debug, info) (default &#34;ERROR&#34;) -o, --output string Output format. One of: [csv, env, go-template, id, json, markdown, none, table, terse, tree, wide] -v, --v int Set the log verbosity level. SEE ALSO chainctl policy-gate	- Manage policy gates.