CI/CD pipeline runs automated tests and blocks deployment on failures

ab-000971 · deployment-readiness.ci-cd-pipeline.automated-tests

Severity: criticalactive

Why it matters

Deploying untested code to production is a direct path to user-facing regressions, data corruption, and outages. Without CI/CD gates (NIST SP 800-218 PW.8, SSDF), a broken commit reaches users the moment it's merged. ISO 25010 reliability.maturity requires demonstrable automated quality gates. Teams without mandatory test runs discover failures in production — where the cost is measured in downtime, rollbacks, and lost trust — rather than in a pull request, where the cost is a 5-minute fix.

Severity rationale

Critical because untested code in production is a direct cause of undetected regressions, outages, and data integrity failures that affect all users simultaneously.

Remediation

Add a test workflow to .github/workflows/test.yml and enable branch protection to require it before merge.

# .github/workflows/test.yml
name: Tests
on: [push, pull_request]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npm install
      - run: npm test

Then in GitHub → Settings → Branches → Add rule: require status check test to pass before merging. Without the branch protection rule, the workflow runs but doesn't block bad merges.

Detection

ID: automated-tests
Severity: critical
What to look for: Enumerate every relevant item. Check for GitHub Actions workflows (.github/workflows/), GitLab CI (.gitlab-ci.yml), CircleCI (.circleci/config.yml), or other CI/CD configuration. Look for test commands in the workflow (e.g., npm test, jest, vitest, pytest, go test). Verify that test failures prevent merge or block deployment via branch protection rules or CI/CD status checks.
Pass criteria: At least 1 of the following conditions is met. A CI/CD pipeline exists with automated tests that run on every pull request or commit. Test failures prevent merge or deployment (verified via workflow configuration or branch protection rules). Before evaluating, extract and quote the relevant configuration or code patterns found. Report the count of items checked even on pass.
Fail criteria: No CI/CD pipeline found, or pipeline exists but tests are not mandatory — pull requests can merge despite test failures.
Do NOT pass when: The item exists only as a placeholder, stub, or TODO comment — partial implementation does not count as passing.
Skip (N/A) when: The project is not planned for production deployment.
Cross-reference: For related security patterns, the Security Headers audit covers server-side hardening.
Detail on fail: Specify what's missing. Example: "CI/CD pipeline found in GitHub Actions but no test command configured. Pull requests have no status check requirement." or "No CI/CD pipeline detected."

Remediation: Set up automated testing in your CI/CD pipeline. For GitHub Actions:

# .github/workflows/test.yml
name: Tests
on: [push, pull_request]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npm install
      - run: npm test

Then enable branch protection rules to require this check pass before merge.

External references

iso-25010:2011 · reliability.maturity — Maturity (degree to which system meets reliability needs under normal operation)
nist:rev5 · SA-11 — Developer Testing and Evaluation
ssdf:800-218 · PW.8 — Test executable code to identify and address vulnerabilities

Taxons

operational-readiness

History

2026-04-18·v1.0.0·Initial import from deployment-readiness·automated