PO.5.1 / PW.7.1 / SA-11 NIST SSDF v1.1

Code review gates security findings

Demonstrate that the organization operates enforceable automated security gates during code review that prevent merging or deployment of code containing security findings above defined thresholds.

Description

What this control does

This control enforces automated quality gates within the code review process that block merge or deployment when security vulnerabilities, insecure coding patterns, or policy violations exceed defined thresholds. Static application security testing (SAST), software composition analysis (SCA), or similar tooling runs during pull request or merge request workflows and fails the pipeline when findings meet severity or count criteria. This prevents vulnerable code from reaching production environments and shifts security accountability left into the development lifecycle.

Control objective

What auditing this proves

Demonstrate that the organization operates enforceable automated security gates during code review that prevent merging or deployment of code containing security findings above defined thresholds.

Associated risks

Risks this control addresses

Injection vulnerabilities (SQL, command, LDAP) introduced through unreviewed code reach production systems
Use of libraries with known CVEs is merged into mainline branches without detection or remediation
Hard-coded secrets, API keys, or credentials are committed to version control repositories
Insecure cryptographic implementations or use of deprecated algorithms bypass human review
Authorization bypass or privilege escalation flaws are deployed due to lack of automated enforcement
Cross-site scripting (XSS) or other client-side vulnerabilities are introduced without blocking mechanisms
Developers bypass or disable security checks without governance oversight or audit trail

Testing procedure

How an auditor verifies this control

Obtain the list of all active code repositories and CI/CD pipeline configurations used for production application deployments.
Select a representative sample of repositories across application tiers (front-end, back-end, API, infrastructure-as-code).
Review each repository's branch protection rules and merge policies to identify configured automated security checks.
Examine CI/CD pipeline definitions (e.g., Jenkinsfile, GitHub Actions workflows, GitLab CI YAML) for SAST, SCA, or secret scanning tool integration.
Retrieve configuration files for security scanning tools to verify threshold settings, severity levels, and fail conditions.
Identify recent pull requests or merge requests and inspect pipeline execution logs to confirm security gates were invoked and results evaluated.
Test enforcement by reviewing examples of blocked merges due to security findings or requesting demonstration of a simulated failing security gate.
Verify existence of override or exception workflows and review audit logs for any bypass events, including approver identity and justification.

Evidence required CI/CD pipeline configuration files (YAML, JSON, or Jenkinsfile) showing security tool integration and failure conditions; branch protection rules export from version control system; security scan tool configuration files defining thresholds and severity gates; screenshots or exports of recent pull request checks with security gate results; pipeline execution logs demonstrating blocked merges; exception approval records and audit logs for any gate bypasses.

Pass criteria All sampled repositories demonstrate active automated security gates integrated into the merge workflow, configured with documented severity thresholds, and evidence confirms at least one instance of merge prevention due to security findings with no unauthorized bypasses.

Where this control is tested

Audit programs including this control

Secure SDLC Maturity

Are security activities baked into the development lifecycle, or are they bolted on at the end? A focused…