๐Ÿšฆ Quality Gate

Every service must pass these gates before being deployed to production.
Build success โ‰  production readiness.

Gate Criteria

โ‘ 

Unit + Integration Tests

dotnet test
๐Ÿ›‘ BLOCK

Threshold: 100% pass

How to resolve a failure

  1. Run locally: dotnet test <Service>.Tests/ -v normal
  2. Check the TRX output for failed test names and stack traces
  3. Do not skip (ignore) tests โ€” remove the [Ignore] attribute and fix the underlying issue
โ‘ก

Security Scan

Trivy (container image)
๐Ÿ›‘ BLOCK

Threshold: 0 HIGH/CRITICAL fixable CVEs

How to resolve a failure

  1. Run: trivy image <image-ref> --severity HIGH,CRITICAL --ignore-unfixed
  2. Update the affected NuGet / npm / OS package to the version in the "Fixed Version" column
  3. If no fix is available yet, add the CVE to .trivyignore with an expiry date (max 30 days) and a comment
โ‘ข

Code Coverage

dotnet coverage (Cobertura)
๐Ÿ›‘ BLOCK

Threshold: โ‰ฅ 60% financial services ยท โ‰ฅ 40% others

How to resolve a failure

  1. Run: dotnet test --collect:"XPlat Code Coverage" --results-directory ./coverage
  2. Open coverage/*/coverage.cobertura.xml and look for low-coverage files (line-rate)
  3. Add tests for the uncovered business logic โ€” focus on happy path + one error path per public method
  4. Financial services (Accounting, Billing, Treasury, POS, Purchasing, FixedAssets) must reach 60%
โ‘ฃ

Static Analysis

Roslyn Analyzers
๐Ÿ›‘ BLOCK

Threshold: 0 critical errors

How to resolve a failure

  1. Run: dotnet build -p:RunAnalyzersDuringBuild=true and inspect error lines
  2. Fix the reported diagnostic (e.g. CA2007, CS8600) โ€” do not suppress without a documented reason
  3. Add #pragma warning disable XXXX only when the false-positive is confirmed, with a comment explaining why
โ‘ค

OpenAPI Contract Compatibility

oasdiff
๐Ÿ›‘ BLOCK

Threshold: 0 breaking changes vs main

How to resolve a failure

  1. Run: oasdiff breaking openapi-base.yaml openapi.yaml --format text
  2. Removing an endpoint, changing a required parameter type, or removing a response field are all breaking
  3. Version the API (v2) or use additive-only changes when backward compatibility cannot be maintained
  4. If no openapi.yaml exists yet, the gate is skipped โ€” add one to enable this protection
โ‘ฅ

Architecture Tests (KafkaLibrary)

NetArchTest / ArchUnitNET
๐Ÿ›‘ BLOCK

Threshold: 100% pass

How to resolve a failure

  1. Run: dotnet test <Service>.ArchTests/
  2. Common violations: using Confluent.Kafka directly instead of KafkaLibrary abstractions
  3. Fix by replacing direct Confluent.Kafka usage with the IEventPublisher / IEventConsumer interfaces
  4. If no ArchTests project exists, the gate emits a WARN โ€” create one to enforce patterns (see TASK-127)
โ‘ฆ

Performance Smoke (p95)

k6
โš ๏ธ WARN

Threshold: p95 < 500ms baseline + 20% = 600ms

How to resolve a failure

  1. Run: k6 run --env BASE_URL=https://staging.innovask.com tools/quality-gate/smoke.js
  2. Check for N+1 queries, missing DB indexes, or uncached hot paths
  3. Use dotnet-trace or Application Insights to profile the slow endpoint
  4. WARN does not block production, but a P95 > 1000ms should be escalated immediately

Financial Services (stricter coverage)

The following services require โ‰ฅ 60% line coverage (vs 40% for others):

Override Process

If a blocking gate cannot be fixed immediately, the QA team can override by:

  1. Opening a ticket in the issue tracker describing the risk and reason
  2. Entering the ticket reference in the override_reason field when triggering a manual deployment:
    QG-OVERRIDE-2026-0042: approved by @qa-lead โ€” CVE-2024-1234 has no fix yet, risk accepted
  3. The override is logged in the Quality Gate Report artifact for audit
  4. Overrides expire after 14 days โ€” the gate is enforced again after that

Running the gate locally

# From the DevOps repo root:
./tools/quality-gate/run.sh ../../Accounting_Api --financial

# With a built container image:
./tools/quality-gate/run.sh ../../Auth_Api --image ghcr.io/org/auth-api:sha-abc1234

CI/CD Integration

CI (ci-*.yml)  โ†’  build + test + Trivy
                  โ”‚
                  โ–ผ push to main (success)
CD (cd.yml)
  โ”œโ”€โ”€ deploy-staging       # automatic
  โ”œโ”€โ”€ await-approval       # manual reviewer
  โ”œโ”€โ”€ quality-gate         # ๐Ÿšฆ all gates evaluated here
  โ””โ”€โ”€ deploy-production    # runs ONLY if quality-gate passes

Artifacts are saved for 90 days: quality-gate-report-{service}-{run_id}.json