Skip to content

Quality Gates

ControlInitial behaviorTarget behavior
FormatFailFail
Lint errorsFailFail
Type errorsFailFail
Unit testsFailFail
CoveragePublish baselineFail new-code threshold
SonarQubePublishQuality gate on new code
SemgrepFail verified high/criticalRisk-based policy
GitleaksFailFail
Trivy FSFail critical; manage highFail policy-defined findings
Docker buildFailFail
Trivy ImageFail critical; manage highRisk-based with SLA
SBOMRequired artifactRequired attestation

Do not block adoption because legacy coverage or debt is imperfect. Establish a baseline and require changed code not to worsen it. Critical security findings and secrets are not grandfathered merely because they pre-existed.

A suppressions file is not an exception process. Every material suppression has a reason, owner, scope, and expiry. Scanner identifiers are retained so the decision remains auditable.