Adding Quality Gate to Security Pipelines
Once a Quality Gate profile has been created and configured (see the "Quality Gates" sections of the Application Administrator Guide), it can be added to the Security Pipeline (s) of one or more applications.
To add Quality Gate to the Security Pipeline, select an application (see the Applications section) and open the Security Pipeline settings page (see the Security pipeline settings section).
Open the Quality Gate tab and select the previously created Quality Gate profile from the drop-down menu (see the "Quality Gates" section of the Application Administrator Guide), then click the Save button to enable the Quality Gate in the Security Pipeline.
Once a Quality Gate is added to the Security Pipeline, the list of conditions appears below.
Select another Quality gate from the drop-down menu and click the Save button to add it. The page will display the conditions for the newly connected Quality Gate.
 |
Only one Quality Gate can be connected to a Security Pipeline at a time. Once a new Quality Gate is connected, the previously connected one has disconnected automatically. |
Click the Unlink button to disconnect Quality Gate from the Security Pipeline.
Let's take a look at an example of using Quality Gate in the Security Pipeline. Suppose the following criteria are defined for releasing an application: absence of any high/critical severity issues identified by SAST and DAST tools.
To create a Quality Gate with these criteria, select the following parameters when configuring the Quality Gate profile (see the "Quality Gates" section of the Application Administrator Guide).
The list of specified conditions will look as follows.
So we have created a Quality Gate that, when connected to the Security Pipeline, will track compliance with the specified criteria.
If the Quality Gate criteria aren’t met (at least one vulnerability of high or critical severity is found during the scan for the example above), Maverix will stop the Security Pipeline and the application release will not be created. In order to issue a release that meets the specified QG criteria, all high and critical severity vulnerabilities should be fixed prior to launching the Security Pipeline that creates the application release.