Quality Gates
Gate model
Section titled “Gate model”| Control | Initial behavior | Target behavior |
|---|---|---|
| Format | Fail | Fail |
| Lint errors | Fail | Fail |
| Type errors | Fail | Fail |
| Unit tests | Fail | Fail |
| Coverage | Publish baseline | Fail new-code threshold |
| SonarQube | Publish | Quality gate on new code |
| Semgrep | Fail verified high/critical | Risk-based policy |
| Gitleaks | Fail | Fail |
| Trivy FS | Fail critical; manage high | Fail policy-defined findings |
| Docker build | Fail | Fail |
| Trivy Image | Fail critical; manage high | Risk-based with SLA |
| SBOM | Required artifact | Required attestation |
New-code principle
Section titled “New-code principle”Do not block adoption because legacy coverage or debt is imperfect. Establish a baseline and require changed code not to worsen it. Critical security findings and secrets are not grandfathered merely because they pre-existed.
Exceptions
Section titled “Exceptions”A suppressions file is not an exception process. Every material suppression has a reason, owner, scope, and expiry. Scanner identifiers are retained so the decision remains auditable.