DEV Community

Cover image for What Are Quality Gates in CI/CD? (And Why "Nobody Reads" Is Not a Gate)
Mumtaz Jahan
Mumtaz Jahan

Posted on

What Are Quality Gates in CI/CD? (And Why "Nobody Reads" Is Not a Gate)

#devops #cicd #beginners #career

What Are Quality Gates in CI/CD?

A quality gate is a rule that must pass for the pipeline to move to the next stage.
Simple definition. Powerful concept.
If the gate fails — the pipeline fails. No exceptions. No "we'll fix it later." That discipline is exactly what keeps bugs out of production.

Common Quality Gates

Here are the most widely used gates in real DevOps pipelines:
✅ Unit test pass rate — 100%
✅ Code coverage — at least 70%
✅ Static analysis — 0 critical issues
✅ Security scan — no high severity CVEs
✅ Smoke test — all must pass
✅ Performance — response time must be under target (p99 threshold)
Each of these is a hard stop. The pipeline does not move forward until every gate passes.

The Rule to Remember in Interviews

A warning nobody reads is not a gate.

This is the most important thing to say when asked about quality gates in an interview. If your pipeline warns but still deploys — that is not a gate. That is noise.
A real gate blocks the pipeline. It forces the team to fix the issue before moving forward.

Real Project Example You Can Use in Interviews

Here is a real scenario worth sharing:
Our pipeline had a 70% code coverage gate. The dev team pushed to drop it to 60% to move faster.
Before agreeing, I pulled quarterly bug data. The finding was clear — low coverage modules had 3x more bugs.
The data made the decision. The gate stayed at 70.
This is a perfect interview answer because it shows you don't just follow rules blindly — you back decisions with data.

Close Your Interview Answer With This Line

Interviewers remember candidates who say this:

"Gates should enforce standards that the team agreed on — not personal preferences."

That one sentence shows maturity, team thinking, and real engineering judgment.

Real World Gate Stack

In my last project we used:

SonarQube — static analysis + code coverage gate
OWASP Dependency Check — security vulnerability gate

Any one of them failing blocked the merge entirely.
That discipline before production is exactly why we caught bugs early instead of firefighting at 2AM.

Quick Summary

Gate TypeExample ThresholdUnit Tests100% pass rateCode Coverage≥ 70%Static Analysis0 critical issuesSecurity ScanNo high CVEsSmoke TestsAll passingPerformanceUnder p99 target

Final Thought

Quality gates are not bureaucracy. They are the team's agreed standards made automatic.
Without gates, standards are just suggestions. With gates, they are enforced every single time — whether it's 10AM on a Monday or 2AM before a release.
Set the gates. Trust the gates. Let the data defend the gates.

What quality gates does your team use? Drop them in the comments 👇

Top comments (0)