QP02 Continuous Integration Practices

What this means

SiteShadow flagged signals that continuous integration (CI) is missing, disabled, or not used as a quality/security gate.

Why it matters

CI ensures consistent testing, security checks, and quality gates.

• Security regressions slip in when tests/scans aren't run automatically.
• Inconsistent builds produce "works on my machine" failures and risky hotfixes.
• Slower incident response when you can't quickly validate a fix.

Safer examples

1) Run tests on every PR

Unit tests + integration tests for critical flows (auth, permissions, payments).

2) Add security checks to CI

Dependency scanning, secret scanning, and basic static checks (see CICD01 / A08).

3) Gate merges on green checks

Require CI to pass before merge; block direct commits to protected branches.

How SiteShadow detects it (high level)

• Detects presence/absence of CI workflow definitions and whether checks are enforced.
• Flags repos where changes can land without automated validation signals.

References

• OWASP Top 10: https://owasp.org/Top10/

---

← Back to Vulnerability Library