IntermediateLesson 5

Quality Gates & Profiles

ELI5 Explanation

A Quality Gate is the checkpoint at the factory exit — no product ships if it fails inspection. Quality Profiles define which tests the inspector runs for each product type.

Technical Explanation

Quality Gate is a set of boolean conditions evaluated after analysis. If any condition fails, the gate returns FAILED and the pipeline can be stopped. Example conditions:

Coverage on new code >= 80%
New Bugs = 0
New Vulnerabilities = 0
New Code Smells <= 5
Duplicated lines on new code <= 3%

Quality Profile defines which rules are active for a given language. Projects inherit the default profile but can be overridden. Custom profiles let security-sensitive projects apply stricter OWASP-aligned rules while internal tooling uses a lighter set.

Important: Quality Gates on new code only (the Sonar Way default) let teams improve without being blocked by old legacy issues.

Visual

Scan Completes

→

Evaluate Gate Conditions

→

PASSED / FAILED

→

Pipeline Decision

Hands-on Commands

Check Quality Gate status via API

# Get analysis task ID after scan (printed in scanner output)
# Then poll gate status
curl -u $SONAR_TOKEN: \
  "http://localhost:9000/api/qualitygates/project_status?projectKey=my-app"

# Response example:
# { "projectStatus": { "status": "OK" } }
# or "ERROR" with conditionResults showing which conditions failed

# List all quality gates
curl -u $SONAR_TOKEN: \
  "http://localhost:9000/api/qualitygates/list"

Debugging Scenario

Quality Gate fails only on coverage on new code. Investigation shows a new feature file was added without any tests. Fix: ensure every PR includes a test file alongside new logic, enforced by both code review and the gate condition. Do not simply lower the coverage threshold — address the missing tests.

Interview Questions

Beginner

What is a Quality Gate?
What is a Quality Profile?
What does "new code" mean in SonarQube gates?
Can multiple projects share one Quality Gate?
Can you have multiple Quality Profiles per language?

Intermediate

How do you prevent a Quality Gate from blocking legacy projects during rollout?
How do you customize rules in a Quality Profile?
What conditions make a good Quality Gate for a production API?
How does the Sonar Way gate differ from a custom one?
How do you enforce different gates per environment (dev vs release)?

Scenario-based

Gate fails because of old code duplication. Team says it is unfair. How do you respond?
Coverage threshold is met but only by testing trivial getters. What do you change?
Different teams want different gates. How do you organize this without chaos?
Gate passes but production has a bug. What might the gate have missed?
Security team wants all OWASP rules enforced. How do you set this up?

Real-world Use Case

A cloud platform team created three Quality Profiles — standard, security-enhanced, and legacy-tolerant — each applied to different service tiers. The security-enhanced profile included all OWASP-mapped rules, applied only to internet-facing APIs.

Summary

Quality Gates enforce standards automatically at the right point in the pipeline. Quality Profiles let you tune the rules to the context of each project. Next lesson shows how to read reports and dashboards to track progress over time.

PreviousCode Smells, Bugs & Vulnerabilities NextReports & Dashboards