Skip to content
Flows
Release Gates for Agent-Generated Code
Agent QA & Security60-90 minutes
0/4 steps0%

Step 1 of 4

Assemble the automated gate

Stack the deterministic and test-based checks first.

Prompt capsule

Build the automated portion of the gate for agent-generated changes. Compose the layers already available (or build the missing ones): the rule-file review gate (deterministic policy checks on the diff), the full test suite plus the verification evidence the agent produced, security scans (the injection/red-team suite where the change touches agent behavior; SAST where applicable), dependency/supply-chain checks for any new deps, and a secret scan on the diff. Wire these as required status checks on the change (PR or equivalent). Any failure blocks. Ensure these run on agent changes at parity with or above human-change checks. Test by pushing an agent change with a planted rule violation and a failing test and confirming both block the merge.

Paste into Claude · Complete implementation prompt with explicit requirements

Expected after this step

A stacked automated gate blocking on any failed check.

Should not happen

  • Auto-merging agent PRs on green CI with no human ever looking at risky ones
  • Applying weaker checks to agent code than to human code
  • No risk tiering, so a typo fix and a payment change get identical review
  • Unlabeled agent changes, so reviewers do not know to look harder

Verify before continuing

Do not move on until every check is true. The complete button stays locked until then.

Do not continue if…

  • !Auto-merging agent PRs on green CI with no human ever looking at risky ones
  • !Applying weaker checks to agent code than to human code
  • !No risk tiering, so a typo fix and a payment change get identical review
  • !Unlabeled agent changes, so reviewers do not know to look harder

If the AI messes this up

Use this when the AI fakes progress or breaks the feature. It forces a real fix.

An agent change merged on partial checks. Make every layer a required status check (not advisory) and confirm the merge is technically blocked until all are green - advisory checks get ignored under deadline.

Your notes for this step