Forem: Muhammad Usman Shabir

How to set up automated code quality gates in GitHub Actions in under 5 minutes

Muhammad Usman Shabir — Mon, 06 Apr 2026 05:48:15 +0000

Every developer has shipped code they knew wasn't ready. Maybe it was a Friday afternoon merge, maybe the reviewer was in a rush. Either way, that shortcut cost the team hours — or worse, a production incident.

What if your CI pipeline could catch that before it ever reaches main?

That's exactly what a code quality gate does. And you can set one up in under five minutes.

What Is a Quality Gate?

A quality gate is a minimum quality score your code must pass before it's allowed to merge. Think of it as a bouncer for your codebase — if a pull request doesn't meet the threshold, the merge is blocked automatically.

It evaluates things like code complexity, readability, maintainability, and potential bugs, then returns a score. If the score falls below your configured minimum, the GitHub check fails and the PR can't be merged until the issues are fixed. No human gatekeeper needed. No bad code slipping through during a busy sprint.

Why You Need One

Bugs are cheap to fix when you catch them early. A logic error spotted during code review might take ten minutes to resolve. That same bug in production? It could mean rollback deployments, customer complaints, incident postmortems, and hours of debugging under pressure.

IBM's Systems Sciences Institute found that fixing a defect in production costs roughly six times more than fixing it during implementation. Other industry research puts the multiplier even higher.

The problem isn't that teams don't review code — it's that manual reviews are inconsistent. Reviewers get fatigued, context gets lost, and standards drift over time. An automated quality gate removes that variability. Every PR gets evaluated against the same criteria, every time.

It also takes pressure off senior developers who often end up as the bottleneck in review cycles. Instead of manually gatekeeping every merge, they can focus on architecture and mentorship while the gate handles the baseline checks.

Step-by-Step Setup

Here's how to get automated quality gates running on your repo using GetCodeReviews and GitHub Actions.

Step 1: Sign Up and Get Your API Key

Head to getcodereviews.com and create an account. Once you're in, navigate to your dashboard and grab your API key. You'll need this to authenticate the GitHub Action with the service.

Step 2: Add Your API Key to GitHub Secrets

Go to your GitHub repository, then Settings → Secrets and variables → Actions → New repository secret.

Name: CODESCAN_API_KEY
Value: Paste your API key from Step 1

This keeps your key secure and out of your codebase.

Step 3: Add the Workflow File

Create a new file at .github/workflows/code-quality-gate.yml and paste the following:

name: Code Quality Gate

on:
  pull_request:
    branches: [main, develop]

jobs:
  quality-check:
    runs-on: ubuntu-latest
    name: Run Code Quality Review

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Get changed files
        id: changed
        run: |
          FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD -- '*.js' '*.ts' '*.jsx' '*.tsx' '*.py' '*.go' '*.rb' | head -20)
          echo "files=$FILES" >> $GITHUB_OUTPUT

      - name: Run GetCodeReviews Quality Scan
        id: review
        run: |
          RESPONSE=$(curl -s -X POST https://getcodereviews.com/api/review \
            -H "Authorization: Bearer ${{ secrets.CODESCAN_API_KEY }}" \
            -H "Content-Type: application/json" \
            -d "{
              \"repo\": \"${{ github.repository }}\",
              \"pr_number\": ${{ github.event.pull_request.number }},
              \"files\": \"${{ steps.changed.outputs.files }}\"
            }")
          SCORE=$(echo $RESPONSE | jq -r '.score')
          echo "score=$SCORE" >> $GITHUB_OUTPUT
          echo "## Code Quality Report" >> $GITHUB_STEP_SUMMARY
          echo "**Score: $SCORE / 100**" >> $GITHUB_STEP_SUMMARY
          echo "$RESPONSE" | jq -r '.summary' >> $GITHUB_STEP_SUMMARY

      - name: Enforce Quality Gate
        run: |
          SCORE=${{ steps.review.outputs.score }}
          MINIMUM=70
          if [ "$SCORE" -lt "$MINIMUM" ]; then
            echo "❌ Quality gate failed. Score: $SCORE (minimum: $MINIMUM)"
            exit 1
          else
            echo "✅ Quality gate passed. Score: $SCORE"
          fi

Step 4: Set Your Minimum Score

In the workflow above, the MINIMUM variable is set to 70. This is a good starting point — strict enough to catch genuinely problematic code but forgiving enough that it won't block every minor style issue.

As your team gets comfortable, you can raise it to 80 or even 85. You can also make it configurable per-branch if you want stricter enforcement on main than on develop.

Step 5: Test It With a Bad PR

Push a branch with some intentionally sloppy code — deeply nested logic, no error handling, duplicated blocks. Open a pull request against main and watch the action run. You should see the check fail with a score below your threshold, along with a summary of what needs fixing.

This confirms the gate is working before your team relies on it.

What Happens When a PR Fails the Gate?

When a pull request scores below the minimum threshold, the GitHub check turns red and blocks the merge. The developer sees a clear summary in the PR timeline showing their score, what went wrong, and where to focus their fixes.

There's no guessing involved. The report highlights specific issues — things like high cyclomatic complexity, missing error handling, or code duplication — so the developer knows exactly what to address. They fix the flagged issues, push again, and the gate re-evaluates automatically.

This feedback loop is fast. Most developers get their PR passing on the second push. Over time, you'll notice that first-push quality starts improving on its own because the team internalizes the standards the gate enforces.

It also eliminates those awkward code review conversations where a senior dev has to tell someone their code isn't up to standard. The gate delivers the feedback objectively, and the team just focuses on fixing it.

Wrapping Up

Setting up a quality gate takes five minutes but saves your team hours every week. Bad code gets caught before it merges, reviews become faster, and your codebase stays consistent without relying on manual discipline.

If you want to explore advanced configurations — custom rulesets, team dashboards, or VS Code integration — check out the full documentation at getcodereviews.com/docs/api.

Your future self (and your on-call rotation) will thank you.

How a SQL injection bug passed 3 rounds of code review (and how AI caught it instantly)

Muhammad Usman Shabir — Tue, 31 Mar 2026 03:21:11 +0000

It was a Friday afternoon. The sprint was ending. Everyone wanted to go home.

A pull request came in for a new user lookup feature. Three senior developers reviewed it. All three approved it. It shipped to production that evening.

Two weeks later a security audit flagged it.

SQL injection. A textbook one. The kind that every developer learns about in their first week.

Here's the code that passed three rounds of review:

async function getUserById(userId) {
  const query = "SELECT * FROM users WHERE id = " + userId
  const result = await db.execute(query)
  return result.rows[0]
}

Three experienced developers looked at this. Nobody caught it.

Why Humans Miss These

Before explaining how AI caught it instantly, it's worth understanding why three smart developers missed something so fundamental.

Review fatigue is real.

That PR was the 14th one reviewed that Friday. By the time a developer reaches their 10th PR of the day their brain is actively looking for shortcuts. They scan for the obvious — broken logic, missing edge cases, typos. Deep security analysis requires a different kind of focus that nobody has at 4pm on a Friday.

Security issues don't look obviously wrong.

That SQL query looks perfectly reasonable at first glance. It's readable. It's concise. The variable name makes sense. Nothing visually jumps out as dangerous unless you specifically stop and think "wait, is this concatenating user input directly into a database query?"

Time pressure kills thoroughness.

Sprint deadlines create invisible pressure on reviewers. Nobody says "approve it faster" — but everyone feels the unspoken expectation. A thorough security review of one file can take 20-30 minutes. Nobody has that kind of time when there are 14 PRs in the queue.

What a Malicious Request Looks Like

Once that code shipped, any user could send this as their userId:

1 OR 1=1

Which turns the query into:

SELECT * FROM users WHERE id = 1 OR 1=1

Which returns every single user in the database.

The fix took literally 10 minutes once we found it. Parameterized queries:

async function getUserById(userId) {
  const query = "SELECT * FROM users WHERE id = $1"
  const result = await db.execute(query, [userId])
  return result.rows[0]
}

How AI Caught It Instantly

After that incident I started building GetCodeReviews — an AI code reviewer powered by Claude. I fed it that exact function. It caught it in 4 seconds. Here's the actual output:

Score: 23/100

CRITICAL — SQL Injection Vulnerability
Your query concatenates user input directly into a SQL string.
This allows an attacker to manipulate the query.

Fix: const query = "SELECT * FROM users WHERE id = $1"
      const result = await db.execute(query, [userId])

No fatigue. No time pressure. No Friday afternoon distraction. Just a clear, specific diagnosis with the exact fix to apply.

Setting Up Automated Security Scanning in 2 Minutes

The real power isn't the manual paste-and-review. It's catching these issues automatically before they ever reach a human reviewer. Here's how to add GetCodeReviews to your GitHub Actions workflow:
→ Sign up at getcodereviews.com and get your API key from the dashboard
→ Add your API key to GitHub Secrets: Settings > Secrets > CODESCAN_API_KEY
→ Add this workflow file to .github/workflows/code-review.yml:

name: AI Code Review
on:
  pull_request:
    types: [opened, synchronize]
jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run GetCodeReviews
        uses: getcodereviews/action@v1
        with:
          api-key: ${{ secrets.CODESCAN_API_KEY }}
          min-score: 70

The min-score: 70 means any PR scoring below 70/100 automatically fails and cannot be merged until issues are fixed.

What It Catches Beyond SQL Injection

SQL injection is the obvious one but the AI catches a lot more that humans routinely miss:

Hardcoded credentials:

const apiKey = "sk-prod-abc123xyz789"
const db = connect("postgres://admin:password123@prod-db")

Missing error handling:

// No catch block = silent failures in production
async function fetchUserData(id) {
  const res = await fetch(`/api/users/${id}`)
  return res.json()
}

Off-by-one errors:

// i <= data.length accesses data[data.length] = undefined
for (var i = 0; i <= data.length; i++) {
  console.log(data[i].name)
}

The Uncomfortable Truth About Code Review

Human code review is essential. I'm not arguing we should replace it.

But human code review was never designed to catch every security vulnerability in every PR every day. Modern development — fast sprints, large teams, 10-15 PRs per day — has stretched code review far beyond what it was designed for.

AI doesn't replace the human review. It handles the mechanical part — catching the obvious security issues, the missing error handling, the dangerous patterns — so the human reviewer can focus on what humans are actually good at: architecture, business logic, maintainability.

Try It Yourself

Paste that vulnerable function into GetCodeReviews (getcodereviews.com) and see what happens. Free to try, no card needed.

Or drop your worst code review horror story in the comments. What's the most embarrassing bug that made it to production through a human review?

I'll go first: SQL injection in a user lookup function. Three senior developers approved it. Two weeks in production before anyone noticed.

We don't talk about that sprint anymore.

How to Set Up Automated Code Quality Gates in GitHub Actions in 5 Minutes

Muhammad Usman Shabir — Thu, 26 Mar 2026 22:00:03 +0000

Every team has had a bug slip through code review and make it to production.

Not because the developer didn't know better. Not because the reviewer wasn't paying attention. But because code review is a human process — and humans get tired, rushed, and distracted.

Quality gates fix this by automating the first pass. If your code scores below a minimum threshold, the build fails automatically. No human intervention needed. Bad code never reaches production.

In this tutorial I'll show you how to set one up in GitHub Actions in under 5 minutes.

What is a code quality gate?

A quality gate is a pass/fail check in your CI/CD pipeline that evaluates code against a defined standard. If the code doesn't meet the standard — the pipeline fails and the PR cannot be merged.

You've probably used basic quality gates already without calling them that:

ESLint failing a build on lint errors
Tests failing before a deploy
TypeScript refusing to compile with type errors

AI-powered quality gates take this further by catching things static analysis can't — logic bugs, security vulnerabilities, missing error handling, and performance anti-patterns.

What you need

A GitHub repository
A GetCodeReviews API key (free at getcodereviews.com)
5 minutes

Step 1 — Get your API key

You'll see a key that looks like this:

csai_a1b2c3d4e5f6...

Save this — you'll add it to GitHub Secrets in the next step.

Step 2 — Add your API key to GitHub Secrets

Go to your GitHub repo
Click Settings → Secrets and variables → Actions
Click New repository secret
Name: CODESCAN_API_KEY
Value: paste your API key
Click Add secret

Step 3 — Create the workflow file

Create .github/workflows/code-quality.yml in your repo:

name: Code Quality Gate

on:
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
  pull-requests: write
  contents: read

jobs:
  quality-gate:
    name: AI Code Review
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Get changed files
        id: changed
        run: |
          echo "files=$(git diff --name-only origin/${{ github.base_ref }}...HEAD \
            | grep -E '\.(js|ts|jsx|tsx|py|go|rs|java|php|rb)$' \
            | head -10 \
            | tr '\n' ' ')" >> $GITHUB_OUTPUT

      - name: Run quality gate
        if: steps.changed.outputs.files != ''
        run: |
          MIN_SCORE=70
          TOTAL=0
          COUNT=0
          FAILED=0

          for FILE in ${{ steps.changed.outputs.files }}; do
            if [ -f "$FILE" ]; then
              echo "Reviewing: $FILE"

              CODE=$(cat "$FILE" | head -200)
              EXT="${FILE##*.}"

              RESPONSE=$(curl -s -X POST https://getcodereviews.com/api/review \
                -H "Content-Type: application/json" \
                -H "x-api-key: ${{ secrets.CODESCAN_API_KEY }}" \
                -d "{\"code\": $(echo "$CODE" | jq -Rs .), \"language\": \"$EXT\", \"source\": \"github\"}")

              SCORE=$(echo $RESPONSE | jq -r '.result.score // 0')
              SUMMARY=$(echo $RESPONSE | jq -r '.result.summary // "No summary"')

              echo "  Score: $SCORE/100 — $SUMMARY"

              TOTAL=$((TOTAL + SCORE))
              COUNT=$((COUNT + 1))

              if [ "$SCORE" -lt "$MIN_SCORE" ]; then
                FAILED=$((FAILED + 1))
                echo "  ❌ Below minimum score of $MIN_SCORE"
              else
                echo "  ✅ Passed"
              fi
            fi
          done

          if [ "$COUNT" -gt 0 ]; then
            AVG=$((TOTAL / COUNT))
            echo ""
            echo "Average score: $AVG/100 across $COUNT files"
            echo "Failed files: $FAILED"

            if [ "$FAILED" -gt 0 ]; then
              echo ""
              echo "❌ Quality gate failed — $FAILED file(s) scored below $MIN_SCORE/100"
              echo "Fix the issues flagged above and push again."
              exit 1
            else
              echo "✅ Quality gate passed!"
            fi
          fi

Commit and push this file. That's it — your quality gate is live.

Step 4 — Test it

Open a pull request with any code change. You'll see the AI Code Review check appear in the PR checks section.

If the code scores above 70/100 it passes with a green checkmark. Below 70 and it fails with details of exactly what needs fixing.

Here's an example of what the output looks like in the Actions log:

Reviewing: src/api/users.js
  Score: 45/100 — Critical security issues found
  ❌ Below minimum score of 70

Reviewing: src/utils/helpers.ts  
  Score: 88/100 — Clean code with minor suggestions
  ✅ Passed

Average score: 66/100 across 2 files
Failed files: 1

❌ Quality gate failed — 1 file(s) scored below 70/100
Fix the issues flagged above and push again.

Step 5 — Customize your threshold

Change the MIN_SCORE value in the workflow to match your team's standards:

MIN_SCORE=50   # Relaxed — catches only critical issues
MIN_SCORE=70   # Standard — balanced quality control (recommended)
MIN_SCORE=85   # Strict — high quality standard

Start at 70 and adjust based on your codebase. If you're adding this to an existing project, start lower (50-60) and raise it gradually as you fix existing issues.

What it catches

The AI reviews each changed file for:

🔴 Critical — SQL injection, XSS, hardcoded secrets, missing authentication checks

⚠️ Warnings — missing error handling, off-by-one errors, memory leaks, deprecated patterns

💡 Suggestions — performance improvements, best practice violations, refactoring opportunities

Each issue comes with a specific fix — not vague advice like "improve this function" but actual code you can copy and apply.

Blocking merges on failure (optional)

To prevent PRs from being merged when the quality gate fails:

Go to your repo → Settings → Branches
Click Add branch protection rule
Branch name pattern: main
Check Require status checks to pass before merging
Search for and select AI Code Review
Save

Now the merge button is greyed out until the quality gate passes. Bad code literally cannot reach your main branch.

Why this matters

Most security vulnerabilities don't get caught in code review because reviewers are focused on logic and functionality — not scanning every line for SQL injection patterns or checking if secrets are hardcoded.

Automated quality gates handle the first pass automatically. Your team still does the architectural review. The AI handles the security and bug check first — every single time, without getting tired.

The result: your code review process focuses on what humans are actually good at — understanding business logic, architecture decisions, and edge cases — instead of playing grep for security vulnerabilities.

Try it free

GetCodeReviews has a free tier with 10 reviews/month — enough to try it on your next PR.

Pro plan ($29/month) includes 200 reviews, full GitHub Actions integration, VS Code inline diagnostics, and analytics to track your team's code quality over time.

👉 getcodereviews.com

Built questions or hit an issue setting this up? Drop a comment below — I read and reply to every one.