Practice vocabulary for security gates in CI/CD pipelines: blocking vs. advisory gates, fail-open vs. fail-closed, and risk acceptance workflows.
0 / 5 completed
1 / 5
What is a 'security gate' in a CI/CD pipeline?
A security gate is an automated checkpoint in the pipeline that evaluates security scan results against defined thresholds. If the threshold is exceeded (e.g., a critical CVE found), the gate either blocks the pipeline or raises a warning, depending on its configuration.
2 / 5
What is the difference between a 'blocking gate' and an 'advisory gate'?
A blocking (or enforcement) gate fails the pipeline job when a security policy is violated — the build cannot proceed. An advisory gate logs findings and may notify teams but does not stop the pipeline. Teams often start with advisory gates and graduate to blocking gates as they reduce noise and build confidence.
3 / 5
What does 'fail-closed' mean in the context of a security gate?
Fail-closed means: if the security scanning tool errors out or cannot complete, the pipeline is blocked. This is the secure default — you cannot prove the build is safe if the scanner didn't run. Contrast with fail-open, which allows the build through if the tool fails, trading security for availability.
4 / 5
What does 'fail-open' mean and when might a team choose it?
Fail-open allows the pipeline to continue if the security tool itself is unavailable or erroring. Teams may choose this during initial rollout to avoid blocking deployments due to tool instability. It is a deliberate trade-off: higher availability at the cost of potential unscanned deployments. The goal is eventually to move to fail-closed.
5 / 5
What is 'risk acceptance' in a security gate workflow?
Risk acceptance is a documented decision to proceed with a known vulnerability when remediation is not immediately feasible. It typically requires approval from a named owner, a written justification, and an expiry date. Accepted risks appear in a risk register and are subject to periodic review — they do not mean the risk is forgotten.