Interview › Security & DevSecOps
How do you enforce that pull requests pass the quality gate before merge? [Basic]
Answer
I enforce pull-request quality gates by making the SonarQube quality gate a required status check in the source control system. The pipeline must run analysis for each PR and publish pass/fail status before merge is allowed.
Technical explanation
Branch protection in GitHub, GitLab, Bitbucket, or Azure DevOps should require the gate and prevent admin bypass except through controlled break-glass.
The gate should focus on new-code conditions so teams can adopt it without being blocked by historic debt.
Failures should include actionable links to the SonarQube issue view so developers can fix quickly.
Hands-on example
Example: create a main branch rule requiring 'SonarQube Code Analysis' and 'unit-tests'. In Jenkins, call waitForQualityGate and fail the build on non-OK status. In GitHub, require that status check before the Merge button is enabled.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]