Comparison
Release Passport vs SonarQube quality gates
SonarQube quality gates are valuable code-quality evidence. Release Passport treats that result as one input and adds release readiness, deployability, runtime health, rollback, policy, artifact, and audit context for production promotion.
SonarQube quality gates
What the existing tool should keep doing.
It does not perform static analysis or own quality profiles.
It does not replace merge checks or developer remediation workflows.
It does not store raw secrets, tokens, or private source packages in public surfaces.
Release Passport
What Release Passport adds.
Production-readiness context beyond source quality.
A release passport tying quality evidence to the exact artifact and deployment target.
Retention rules and sanitized exports for release review.
Scoped connector behavior that avoids collecting unrelated projects.
How to use them together.
Keep SonarQube quality gates in the build or merge pipeline.
Ingest the quality gate result as release evidence with project, branch, commit, and timestamp.
Combine it with image digest, SBOM, SARIF, tests, GitOps sync, and runtime checks.
Use policy to decide whether failed, stale, or missing quality evidence should HOLD or BLOCK.
Recommended release flow.
- 1Build pipeline runs tests, security checks, and SonarQube quality gate.
- 2Release Passport receives the quality result with source SHA and artifact digest.
- 3Runtime and GitOps evidence fills the deploy-readiness side of the passport.
- 4Policy returns a signed decision and next action before promotion.
Boundary check.
Customer installs run the self-hosted console, API, worker, CLI gate path, scoped connectors, RBAC, audit log, retention controls, signed artifacts, and provenance checks. Owner checkout, payment, license issuance, and package entitlement administration stay outside the customer runtime.