SonarQube Quality Gates

Non-Negotiables

1. Quality gates block merges. “We’ll fix it later” is how debt becomes outages.
2. New code must not introduce critical issues. Stop the bleeding first.
3. Security findings are release blockers.

Minimum Requirements

Gate Conditions (baseline)

• 0 Blocker / 0 Critical issues on new code.
• No new security vulnerabilities.
• No new bug-level issues.
• Coverage on new code meets the agreed threshold (team-defined), and must not decrease.

How to use it

• Treat Sonar findings like failing tests.
• Fix root causes, not just the symptom (don’t silence rules without reason).
• If you mark something “false positive”, document why.

Common failure modes

• Duplicated code creeping in.
• Complex methods with no tests.
• Security hotspots ignored.

References

• SonarQube Quality Gates: https://docs.sonarsource.com/sonarqube/latest/user-guide/quality-gates/
• CWE Top 25 (security context): https://cwe.mitre.org/top25/