CI/CD pipeline runs automated tests and blocks deployment on failures

Why it matters

Deploying untested code to production is a direct path to user-facing regressions, data corruption, and outages. Without CI/CD gates (NIST SP 800-218 PW.8, SSDF), a broken commit reaches users the moment it's merged. ISO 25010 reliability.maturity requires demonstrable automated quality gates. Teams without mandatory test runs discover failures in production — where the cost is measured in downtime, rollbacks, and lost trust — rather than in a pull request, where the cost is a 5-minute fix.

Remediation

Add a test workflow to .github/workflows/test.yml and enable branch protection to require it before merge.

# .github/workflows/test.yml
name: Tests
on: [push, pull_request]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npm install
      - run: npm test

Then in GitHub → Settings → Branches → Add rule: require status check test to pass before merging. Without the branch protection rule, the workflow runs but doesn't block bad merges.

Detection

ID: deployment-readiness.ci-cd-pipeline.automated-tests
Severity: critical
What to look for: Enumerate every relevant item. Check for GitHub Actions workflows (.github/workflows/), GitLab CI (.gitlab-ci.yml), CircleCI (.circleci/config.yml), or other CI/CD configuration. Look for test commands in the workflow (e.g., npm test, jest, vitest, pytest, go test). Verify that test failures prevent merge or block deployment via branch protection rules or CI/CD status checks.
Pass criteria: At least 1 of the following conditions is met. A CI/CD pipeline exists with automated tests that run on every pull request or commit. Test failures prevent merge or deployment (verified via workflow configuration or branch protection rules). Before evaluating, extract and quote the relevant configuration or code patterns found. Report the count of items checked even on pass.
Fail criteria: No CI/CD pipeline found, or pipeline exists but tests are not mandatory — pull requests can merge despite test failures.
Do NOT pass when: The item exists only as a placeholder, stub, or TODO comment — partial implementation does not count as passing.
Skip (N/A) when: The project is not planned for production deployment.
Cross-reference: For related security patterns, the Security Headers audit covers server-side hardening.
Detail on fail: Specify what's missing. Example: "CI/CD pipeline found in GitHub Actions but no test command configured. Pull requests have no status check requirement." or "No CI/CD pipeline detected."

Remediation: Set up automated testing in your CI/CD pipeline. For GitHub Actions:

# .github/workflows/test.yml
name: Tests
on: [push, pull_request]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npm install
      - run: npm test

Then enable branch protection rules to require this check pass before merge.

Why it matters

Remediation

Add a test workflow to .github/workflows/test.yml and enable branch protection to require it before merge.

# .github/workflows/test.yml
name: Tests
on: [push, pull_request]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npm install
      - run: npm test

Then in GitHub → Settings → Branches → Add rule: require status check test to pass before merging. Without the branch protection rule, the workflow runs but doesn't block bad merges.

Detection

ID: deployment-readiness.ci-cd-pipeline.automated-tests
Severity: critical
What to look for: Enumerate every relevant item. Check for GitHub Actions workflows (.github/workflows/), GitLab CI (.gitlab-ci.yml), CircleCI (.circleci/config.yml), or other CI/CD configuration. Look for test commands in the workflow (e.g., npm test, jest, vitest, pytest, go test). Verify that test failures prevent merge or block deployment via branch protection rules or CI/CD status checks.
Pass criteria: At least 1 of the following conditions is met. A CI/CD pipeline exists with automated tests that run on every pull request or commit. Test failures prevent merge or deployment (verified via workflow configuration or branch protection rules). Before evaluating, extract and quote the relevant configuration or code patterns found. Report the count of items checked even on pass.
Fail criteria: No CI/CD pipeline found, or pipeline exists but tests are not mandatory — pull requests can merge despite test failures.
Do NOT pass when: The item exists only as a placeholder, stub, or TODO comment — partial implementation does not count as passing.
Skip (N/A) when: The project is not planned for production deployment.
Cross-reference: For related security patterns, the Security Headers audit covers server-side hardening.
Detail on fail: Specify what's missing. Example: "CI/CD pipeline found in GitHub Actions but no test command configured. Pull requests have no status check requirement." or "No CI/CD pipeline detected."

Remediation: Set up automated testing in your CI/CD pipeline. For GitHub Actions:

# .github/workflows/test.yml
name: Tests
on: [push, pull_request]
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npm install
      - run: npm test

Then enable branch protection rules to require this check pass before merge.

CI/CD pipeline runs automated tests and blocks deployment on failures

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

CI/CD pipeline runs automated tests and blocks deployment on failures

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History