Interview › Security & DevSecOps
What does 'clean as you code' mean in SonarQube, and why focus on new code? [Basic]
Answer
Clean as you code means holding new or changed code to a high standard, even if the legacy codebase still has debt. The idea is to stop adding new problems first, then gradually remediate old issues based on risk and capacity.
Technical explanation
It makes adoption realistic because old code does not block every delivery pipeline immediately.
It creates personal ownership: developers fix the issues introduced in their current change.
It improves the trend of the system over time because every release is expected to leave the changed code clean.
Hands-on example
Hands-on rollout: set the new-code definition to main branch or the last release. Configure the quality gate to require zero new critical vulnerabilities, no new blocker bugs, and minimum new-code coverage. Track legacy debt separately in a remediation backlog.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]