Interview › Security & DevSecOps
What is a SonarQube quality gate, and how do you use it to fail a build? [Basic]
Answer
A SonarQube quality gate is a set of pass/fail conditions applied to an analysis result. In CI, I use it to fail the build or block a merge when new code violates defined thresholds such as new vulnerabilities, coverage, bugs, or duplication.
Technical explanation
Quality gates are most effective when focused on new code, because legacy projects can adopt them without being blocked by old debt on day one.
The CI job submits analysis, waits for the quality gate result, and returns a nonzero status if the gate fails.
Typical conditions include zero new critical vulnerabilities, minimum new-code coverage, acceptable duplication, and no blocker bugs.
Hands-on example
Jenkins example:
withSonarQubeEnv('sonarqube') { sh 'mvn clean verify sonar:sonar' }
timeout(time: 5, unit: 'MINUTES') {
def qg = waitForQualityGate()
if (qg.status != 'OK') { error "Quality gate failed: ${qg.status}" }
}
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]