GitHub Actions Workflow

Add the following job to your .github/workflows/quality_gates.yml. It will trigger on every push to your repository and run quality gate checks to detect secrets and other security issues: 
name: Quality Gate Scan

on:
  push:
    branches: 
      - '**'

permissions:
  contents: read

jobs:
  quality-gate:
    name: Quality Gate Scan
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
      uses: actions/checkout@v4

    - name: Fetch quality gates script
      env:
        API_BASE: https://api.codeant.ai
      run: |
        curl -sS -X GET "${API_BASE}/analysis/ci/quality-gates/script/get" \
          --output quality_gates.sh.b64
    
    - name: Make script executable
      run: |
        base64 -d quality_gates.sh.b64 > quality_gates.sh
        chmod +x quality_gates.sh

    - name: Start Quality Gate Scan
      id: start-scan
      env:
        ACCESS_TOKEN: ${{ secrets.ACCESS_TOKEN }}    # PAT or repo token
        REPO_NAME:    ${{ github.repository }}       # e.g. org/repo
        COMMIT_ID:    ${{ github.sha }}              # current commit SHA
      run: |
        echo "Starting quality gate scan..."
        ./quality_gates.sh \
          -a "$ACCESS_TOKEN" \
          -r "$REPO_NAME" \
          -c "$COMMIT_ID" \
          -s github \
          -o start
        echo "Quality gate scan initiated successfully"

    - name: Poll for Quality Gate Results
      id: poll-results
      env:
        ACCESS_TOKEN: ${{ secrets.ACCESS_TOKEN }}    # PAT or repo token
        REPO_NAME:    ${{ github.repository }}       # e.g. org/repo
        COMMIT_ID:    ${{ github.sha }}              # current commit SHA
      run: |
        echo "Polling for quality gate results..."
        ./quality_gates.sh \
          -a "$ACCESS_TOKEN" \
          -r "$REPO_NAME" \
          -c "$COMMIT_ID" \
          -s github \
          -o results \
          -t 300 \
          -p 15

    - name: Quality Gate Status
      if: always()
      run: |
        if [ "${{ job.status }}" = "success" ]; then
          echo "✅ Quality Gate PASSED - No secrets detected"
          echo "::notice title=Quality Gate::Quality gate passed successfully"
        else
          echo "L Quality Gate FAILED - Secrets detected or scan error"
          echo "::error title=Quality Gate::Quality gate failed - please review the detected issues"
          exit 1
        fi
Important:
  • Add an ACCESS_TOKEN secret in your repository settings (Settings -> Secrets and variables -> Actions).
  • The quality gate will fail your build if secrets are detected in the changed code.

How it works

  1. Download script
    We fetch the quality gates script (quality_gates.sh) from the CodeAnt API endpoint.
  2. Start scan
    The script initiates a quality gate scan for your commit using the -o start operation.
  3. Poll for results
    The script polls for scan results using the -o results operation with:
    • Timeout: 300 seconds (5 minutes)
    • Poll interval: 15 seconds
  4. Pipeline feedback
    • Success: Quality gate passes if no secrets are detected
    • Failure: Quality gate fails if secrets are found, blocking the build

Script Parameters

The quality_gates.sh script accepts the following parameters:
ParameterDescriptionRequiredExample
-a, --access-tokenGitHub Personal Access Token or repo tokenYes${{ secrets.ACCESS_TOKEN }}
-r, --repoRepository in format owner/repositoryYes${{ github.repository }}
-c, --commit-idCommit SHA to scanYes${{ github.sha }}
-s, --serviceVCS providerYesgithub
-o, --operationOperation to perform (start or results)Yesstart or results
-t, --timeoutTimeout in seconds for polling (default: 300)No300
-p, --poll-intervalPoll interval in seconds (default: 15)No15
-u, --base-urlBase URL for VCS service (optional)Nohttps://github.com

Quality Gate Checks

Currently, the quality gate performs the following checks:

Secret Detection

  • Scans for hardcoded secrets, API keys, passwords, and tokens
  • Analyzes only the changed lines since your merge base commit
  • Uses high-confidence detection to minimize false positives
  • Blocks the build if any secrets are found

Best Practices

  1. Run on all branches: Quality gates should run on every push to catch issues early
  2. Block merges: Configure branch protection rules to require quality gate checks before merging
  3. Review failures: When quality gates fail, review the detected issues immediately
  4. Keep tokens secure: Never commit access tokens directly - always use GitHub Secrets

Troubleshooting

Quality gate times out

If the scan takes longer than expected:
  • Increase the timeout using -t 600 (10 minutes)
  • Check if the CodeAnt service is operational

Authentication failures

If you see “Access token invalid”:
  • Verify your ACCESS_TOKEN secret is correctly configured
  • Ensure the token has appropriate repository permissions

No results returned

If the scan completes but returns no results:
  • Check that quality gates are enabled for your repository in CodeAnt
  • Verify the commit SHA is correct
With quality gates in place, every push will automatically be scanned for security issues, helping you maintain code security and compliance standards.