Release Gate — Documentation

Automated release readiness verification system. Aggregates results from security analysis, code quality metrics, test coverage, compliance assessments, and code review status into a single pass/fail/warn decision.

Overview¶

Release Gate implements GOST R 56939-2024 process 5.20 — analysis of unresolved defects before release. It provides:

Configurable profiles with severity-based thresholds (GOST, standard, minimal)
6 check types: security, quality, testing, compliance, review, custom
Suppression mechanism for accepted risks with expiry dates
Decision history for trend analysis
CI integration with meaningful exit codes (0=PASS, 1=FAIL, 2=WARN)

Quick Start¶

# Run gate check with default profile
python -m src.cli release check --db path/to/db.duckdb

# Run with GOST profile
python -m src.cli release check --profile gost-56939

# Output as JSON
python -m src.cli release check --format json --output report.json

# Suppress a finding
python -m src.cli release suppress --finding-id F-1 --reason "false_positive"

# View history
python -m src.cli release history --limit 5

# List profiles
python -m src.cli release profiles

Profiles¶

Profiles define which checks to run and their thresholds. Three built-in profiles are provided:

GOST R 56939-2024¶

Strictest profile for regulatory compliance:

Check	Type	Severity	Threshold
Critical vulnerabilities	security	blocker	max_critical: 0, max_high: 0
Unresolved taint paths	security	blocker	max_unresolved_taint_paths: 0
GOST compliance score	compliance	blocker	min_compliance_score: 60%
Threat model current	compliance	blocker	threat_model_required: true
Dead code	quality	warning	max_dead_methods_percent: 5%
Test coverage	testing	warning	min_coverage_percent: 55%
Code review done	review	blocker	require_review_for_security_files: true
Medium findings	security	warning	max_medium: 20

Standard¶

Balanced profile for internal releases:

Check	Type	Severity	Threshold
Critical vulnerabilities	security	blocker	max_critical: 0, max_high: 5
Code complexity	quality	warning	max_cyclomatic_complexity_avg: 15
Test coverage	testing	warning	min_coverage_percent: 55%

Minimal¶

Hotfix-only profile:

Check	Type	Severity	Threshold
Critical vulnerabilities	security	blocker	max_critical: 0

Check Types¶

Security Check¶

Collects findings from SARIF files and CPG security patterns. Counts by severity (critical, high, medium, low) and compares against thresholds. Supports taint path detection.

Quality Check¶

Queries CPG for code quality metrics: - Dead code percentage - Average cyclomatic complexity - Code duplication percentage

Gracefully skips when CPG is unavailable.

Testing Check¶

Validates test coverage percentage against configured threshold. Sources coverage data from CPG project stats or config.

Compliance Check¶

Integrates with the GOST R 56939-2024 compliance module. Checks: - Overall compliance score - Required processes at FULL status - Threat model freshness

Gracefully skips when compliance module is unavailable.

Review Check¶

Validates code review status: - Minimum approval count - Security-relevant files reviewed

Requires base_ref parameter to identify changed files.

Custom Check¶

Executes user-defined scripts with configurable timeout. Exit code 0 = pass, non-zero = fail.

Suppressions¶

Findings can be suppressed (accepted risk) with:

python -m src.cli release suppress \
    --finding-id FINDING_ID \
    --reason "accepted_risk" \
    --expires 2026-06-01 \
    --ticket JIRA-123

Suppressions are stored in SQLite and automatically expire. Expired suppressions no longer exclude findings.

# List active suppressions
python -m src.cli release suppressions list

# Remove a suppression
python -m src.cli release suppressions remove --finding-id FINDING_ID

Decision Logic¶

All checks in the profile are executed sequentially
Each check returns pass/fail with its configured severity (blocker/warning/info)
Overall decision: - PASS: All checks passed - FAIL: At least one blocker check failed - WARN: Only warning checks failed (no blockers)

Exit Codes¶

Code	Status	Description
0	PASS	All checks passed
1	FAIL	At least one blocker failed
2	WARN	Warnings only (use `--fail-on-warn` for exit code 1)

REST API¶

Method	Endpoint	Description
POST	`/api/v1/release/check`	Run gate checks
GET	`/api/v1/release/profiles`	List profiles
GET	`/api/v1/release/history`	Decision history
POST	`/api/v1/release/suppress`	Create suppression
GET	`/api/v1/release/suppressions`	List suppressions
DELETE	`/api/v1/release/suppressions/{id}`	Remove suppression

MCP Tools¶

Tool	Description
`codegraph_release_gate_check`	Run gate checks
`codegraph_release_gate_profiles`	List profiles
`codegraph_release_gate_suppress`	Manage suppressions (list/add/remove)

Configuration¶

Configuration in config.yaml:

release_gate:
  enabled: true
  default_profile: standard
  suppression_db: "data/release_suppressions.sqlite"
  history_db: "data/release_history.sqlite"
  store_history: true
  profiles:
    custom-profile:
      description: "Custom profile"
      checks:
        - id: security.critical
          name: "Critical vulns"
          type: security
          severity: blocker
          params:
            max_critical: 0

GOST R 56939-2024 Compliance¶

Release Gate satisfies process 5.20 requirements:

5.20.2.1 (Acceptance procedure): Configurable profiles define acceptance criteria
5.20.2.2 (Impact analysis of unresolved defects): Unresolved findings listed in report with severity assessment
5.20.3.2 (Artifact: Analysis of unresolved defects): Markdown report includes dedicated section for unresolved findings

CI Integration¶

GitHub Actions¶

- name: Release Gate
  run: |
    python -m src.cli release check \
      --profile gost-56939 \
      --format json \
      --output gate-report.json

GitLab CI¶

release-gate:
  script:
    - python -m src.cli release check --profile standard --fail-on-warn
  allow_failure: false