Quality Gates¶
How SonarQube quality gates work, current enforcement status per project, and how to view results.
A quality gate is a set of pass/fail conditions that SonarQube evaluates after each analysis. When sonar.qualitygate.wait=true is set in sonar-project.properties, the sonarqube-scan CI job blocks until SonarQube finishes computing the gate result and then exits with the appropriate code.
How Quality Gates Work¶
After the scanner uploads analysis results, SonarQube evaluates the configured gate conditions — for example, coverage must be above a threshold, no new critical vulnerabilities, no new blocker issues. The gate produces a single PASSED or FAILED verdict.
Whether that verdict fails the pipeline depends on the allow_failure setting on the CI job:
allow_failure: false— pipeline fails if the gate fails (enforced)allow_failure: true— pipeline continues regardless of gate result (advisory)
Current Enforcement Status¶
Quality gate enforcement is being rolled out incrementally as technical debt is addressed across services.
| Project | Quality Gate | allow_failure |
Effect |
|---|---|---|---|
orchestrator-cli |
Enforced | false |
Pipeline fails if gate fails |
orchestrator-server |
Advisory | true |
Pipeline continues regardless |
orchestrator-ui |
Advisory | true |
Pipeline continues regardless |
orchestrator-agent |
Advisory | true |
Pipeline continues regardless |
orchestrator-mcp |
Advisory | true |
Pipeline continues regardless |
orchestrator-executor |
Advisory | true |
Pipeline continues regardless |
Enforcement is rolling out incrementally
Currently only the CLI project has the quality gate enforced. Other projects will be migrated to enforced mode as the outstanding issues identified in each project's SonarQube dashboard are resolved. Do not treat an advisory pass as a sign that the code is clean — check the dashboard.
Viewing Quality Gate Results¶
In the SonarQube Dashboard¶
- Open https://sonarqube.shared.cwiq.io
- Log in with your CWIQ SSO credentials via Authentik
- Click your project name in the project list
- The Quality Gate status (
Passed/Failed) is shown at the top of the project dashboard - Click into any category (Bugs, Vulnerabilities, Code Smells, Coverage, Duplications) to see line-level detail
- Click any individual issue to see the affected line, the rule that triggered it, and remediation guidance
In the GitLab Pipeline¶
When sonar.qualitygate.wait=true is set, the sonarqube-scan job log includes the gate verdict. For advisory jobs (allow_failure: true), a failed gate appears as a warning in the pipeline without blocking it.
Understanding Gate Conditions¶
The default CWIQ quality gate uses SonarQube's built-in "Sonar way" conditions as a baseline. Key conditions include:
| Condition | Target | Applies To |
|---|---|---|
| No new blocker issues | 0 | New code |
| No new critical vulnerabilities | 0 | New code |
| Coverage on new code | >= 80% | New code |
| Duplicated lines on new code | < 3% | New code |
CE analyses the overall codebase, not a diff
Because SonarQube CE can only analyse the main branch (not individual commits or branches), "new code" is defined by SonarQube's reference branch configuration, not by the current PR. All findings are against the full main branch codebase.
Related Documentation¶
- Setup & Configuration — How to add SonarQube to your pipeline
- sonar-project.properties Reference —
sonar.qualitygate.waitand other scanner settings - Security Scanning Overview — How SonarQube fits into the broader scanning pipeline