Home » Automated Code Quality » Quality Gates

How to Set Up Code Quality Gates in Your CI Pipeline

A quality gate is an automated check in your CI/CD pipeline that must pass before code can be merged or deployed. Quality gates enforce minimum standards for test coverage, security vulnerability counts, code complexity, and linting compliance. They prevent quality from degrading by ensuring that no change makes the codebase worse than it was before.

What Quality Gates Enforce

The most effective quality gates check a small number of high-value criteria:

No new critical or high security vulnerabilities: Any change that introduces a known security vulnerability should be blocked until the vulnerability is addressed or the dependency is replaced.
Test coverage does not decrease: New code should include tests. The gate should verify that overall coverage does not drop below the current threshold or that the changed files maintain adequate coverage.
No new linting errors: Changes should not introduce new violations of the team's agreed-upon coding standards.
Complexity thresholds: New functions should not exceed a maximum cyclomatic complexity threshold. Existing functions that are modified should not become more complex.
All tests pass: The fundamental gate that every CI pipeline should have. No code merges if any test fails.

The Ratchet Approach

A ratchet only turns in one direction. The ratchet approach to quality gates means that quality can only improve, never degrade. If the current test coverage is 72%, the gate requires that coverage stays at or above 72% after any change. If a developer adds code without tests that drops coverage to 71%, the gate blocks the merge.

The ratchet approach is powerful because it does not require the team to achieve an ambitious target immediately. Whatever the current state is, that becomes the floor. Over time, as developers add tests and the floor rises gradually, the codebase improves without ever requiring a dedicated cleanup sprint.

Configuring Gate Severity

Not all quality gates should block merges. Configure three levels of severity:

Blockers: Critical security vulnerabilities, failing tests, and linting errors that indicate real bugs. These must be fixed before merging.
Warnings: Coverage decreases, complexity increases, and style issues. These appear in the PR review but do not block the merge. The developer and reviewer decide whether to address them.
Informational: Metrics and trend data that are useful context for the review but do not require action. Things like "this file has changed 47 times in the last 3 months" or "this function's complexity is in the 95th percentile."

Avoiding Gate Fatigue

The biggest risk with quality gates is fatigue. If gates block merges too frequently for low-value reasons, developers will start viewing them as obstacles and look for ways to bypass them. The cure for gate fatigue is ruthless curation: every blocking gate should catch issues that would actually cause problems in production. If a gate has not blocked a genuinely harmful change in the past month, it should be downgraded to a warning or removed.

Getting Started

Start with just three gates: all tests pass, no critical security vulnerabilities, and no new linting errors. These three provide the highest value with the lowest friction. Once the team is comfortable, add coverage ratcheting and complexity thresholds. Layer gradually so the team never feels overwhelmed by too many requirements at once.

Set up quality gates that prevent problems without slowing your team down. See how an AI development team integrates quality into your CI pipeline.

Contact Our Team

Learn About the AI Development Team