What is Security Gate
Security Gate lets you control the security quality of source code before an MR/PR is merged by evaluating scan results against configured security thresholds.
How it works
When Security Gate is enabled, every MR/PR scan compares the number of issues found against the configured thresholds. Based on the comparison, the system returns a PASS or FAIL status through the API in your CI/CD pipeline.
- PASS — the number of issues does not exceed the configured thresholds
- FAIL — at least one threshold is exceeded
When Security Gate is Inactive, all MR/PR scans pass without checking any conditions.
Security Conditions
Security Gate evaluates against three scan types:
| Scan type | Description |
|---|---|
| Code Analysis | Detects security vulnerabilities in source code (SAST) |
| Secret Scanning | Detects hard-coded secrets and credentials |
| IaC Scanning | Detects misconfiguration in Infrastructure as Code |
Each scan type has four severity thresholds:
| Threshold | Meaning |
|---|---|
| Max Criticals | Maximum number of Critical issues allowed |
| Max Highs | Maximum number of High issues allowed |
| Max Mediums | Maximum number of Medium issues allowed |
| Max Lows | Maximum number of Low issues allowed |
Threshold rules:
- Value =
0→ blocks all issues at that severity (MR/PR will FAIL if any issue is found) - Empty → the condition for that severity is skipped
Scope
Security Gate applies to all repositories linked to the workspace. New repositories added to the system are automatically included in Security Gate's scope when the feature is enabled.
Next step
- Configure Security Gate — enable, configure thresholds, and disable Security Gate