Skip to main content

Overview

At CodeAnt, every pull request has to clear a set of CodeAnt AI Quality Gates before it can merge. A single comment on the PR tells us whether Secrets, Duplicate Code, and SAST checks all passed — and links back to the full results in the dashboard. If any gate fails, the PR is blocked until the regression is fixed.

Why This Matters

Review comments catch issues that a human reviewer will notice. Quality gates catch the ones nobody notices until production: a secret that slipped into a config file, a paragraph of copy-pasted logic that doubles the maintenance burden, a new SQL injection vector. Wiring these as hard gates — not advisory warnings — means regressions never land on main by default.

How We Use It

  1. Configure gates once per repo. In Settings -> Quality Gates, we set thresholds for Secrets, Duplicate Code, and SAST. Our defaults: zero new secrets, zero new high/critical SAST findings, and a ceiling on newly-introduced duplication.
  2. CodeAnt AI runs automatically on every PR. When a PR is opened or updated, CodeAnt AI scans the diff and posts a single Quality Gate Results comment with the pass/fail state of each gate.
  3. PASSED → proceed to review. If every gate is green, reviewers focus on logic, architecture, and naming — not hunting for leaked tokens.
  4. FAILED → fix before merge. A failing gate surfaces the exact file and line. The author pushes a fix, the gates re-run on the new commit, and we move on.
  5. Click through for detail. The “View Full Results” link in the comment opens the full scan in the dashboard, with the list of findings, severities, and affected files.

What It Looks Like

Here’s a real Quality Gate comment from a recent backend PR — commit d337593e, all three gates passing: Quality Gate comment on a CodeAnt PR

What We Pay Attention To

  • Secrets must be zero. A single leaked token can compromise an entire environment. A Secrets failure is never waived — the offending commit is rewritten and the credential is rotated.
  • New SAST findings block merge. Existing findings are tracked separately as debt; new ones introduced by a PR are blocking.
  • Duplicate Code is a trend signal. One-off duplication is rarely blocking on its own, but a repeated rise in the duplication number tells us an abstraction is missing.

Get Started

See the Quality Gates setup page to configure gates for your own repositories.