Set Up Quality Gates
Quality gates enforce minimum standards on every pull request. When a scan completes, CodeStax evaluates findings against your policy and posts the verdict to the VCS (GitHub Check Run, Bitbucket Code Insights, or GitLab commit status). If block_merge_on_fail is on and your branch protection requires the check, failed gates block the merge.
What Quality Gates Check
Setting Up Your First Quality Gate
Configuration Reference
| Setting | Type | Default | Effect |
|---|---|---|---|
| Enable quality gate | Toggle | Off (new orgs) | Master switch. When off, scans run but no gate status is posted. |
| Block merge on fail | Toggle | Off | When on, failed gates surface as “failure” conclusion — branch-protection rules block merges. Off = “neutral” (monitor mode). |
| Apply to new code only | Toggle | On | Evaluates only findings with is_new_in_pr=true. Off = evaluates all findings including inherited debt. |
| Max new critical | Number | 0 | Max new critical findings allowed. |
| Max new high | Number | 2 | Max new high-severity findings. |
| Max new complexity findings | Number | 15 | Max new complexity findings. |
| Max duplication % | Number | 3.0 | Max overall duplication from jscpd summary. |
| Min new-code coverage % | Number | 80 | Minimum coverage from ingested lcov/cobertura/jacoco/clover reports. |
| Min quality rating | Dropdown A–E | C | Minimum composite A–E rating for the scan. |
How Gates Are Evaluated
Every enabled threshold is checked independently. First failure surfaces as a violation. Gate fails when any condition fails.
Gate evaluated on scan #123:
new_critical_max: 0 <= 0 ✓
new_high_max: 1 <= 2 ✓
duplication_pct: 2.1 <= 3.0 ✓
complexity_new_max: 8 <= 15 ✓
rating_min: B >= C ✓
new_coverage_min: 76 >= 80 ✗
Result: FAILED — 1 violation (new_coverage_min)The result is posted to:
- GitHub → Check Run named “CodeStax Quality Gate”
- Bitbucket → Code Insights report
- GitLab → commit status
- PR comment (upserted by marker) — violations table + fix hints, no timeline spam on re-scans
- Scan detail widget inside the CodeStax dashboard
Per-Repo Policy Override
Commit .codestax/quality_gate.yaml to the repo root. This overrides org policy for that repo only.
# .codestax/quality_gate.yaml
new_critical_max: 0
new_high_max: 0 # stricter than org default
new_coverage_min: 90
rating_min: B
duplication_pct_max: 2
complexity_new_max: 10Merge order: defaults → org policy → repo override. Unknown keys silently dropped. See Policy as Code for the full YAML reference.
Waivers
Exempt a specific rule from enforcement without raising org thresholds:
- Settings → Policies → Quality Gates → Manage waivers
- Click New waiver → pick rule, reason (required, audited), scope (org / repo / PR), optional expiry
- Gate re-evaluates on next scan; waived violations surface separately under
waived_violations
See Manage Waivers for scope semantics + revoke flow.
Baseline Rebuild
After a large refactor, the default-branch baseline may contain fingerprints that no longer exist — causing spurious “new in PR” flags on later scans. Rebuild the baseline from the repo detail page (admin-only). See Baseline Rebuild.
Common Rollout Playbook
Related
- Policy as Code — repo-level YAML overrides
- Manage Waivers — rule exemptions with audit + expiry
- Baseline Rebuild — reset new-code delta after refactors
- Quality Gate API — REST reference for CI/CD integration