• Serving Clients Globally
  • +91 9599388970 (India)
  • WhatsApp
  • info@rannlab.com
WhatsApp Us
Get Free Consultation

Secure SDLC & Code Quality Standards

We ship only secure, reviewed, and quality-checked code to Production. Every line of code passes through automated gates, peer review, and security controls before it reaches your users.

Azure DevOps
SonarQube Quality Gates
Zero-Secret Codebase
Rollback-Ready Deployments

Headquarters

Greater Noida, India

805, 8th Floor, Om Tower, Alpha-I Commercial Belt, Block E, Alpha I, Greater Noida, UP 201310

  • +91-120-357-8226
  • info@rannlab.com

Table of Contents

Our Development Principles

RannLab’s engineering culture is built on a foundation of security-first thinking, continuous improvement, and shared accountability. Every team member — from junior developer to architect — is responsible for the quality and security of what they ship.

Security by Design

Security is embedded at every stage — not bolted on at the end.

Peer Review Mandatory

No code reaches production without at least one approved code review.

Quality Gates Enforced

Automated gates block merges and deployments when thresholds fail.

Continuous Improvement

Retrospectives, metrics, and tooling evolve with every sprint cycle.

Shared Ownership

Teams own their services end-to-end — build it, run it, secure it.

Audit Traceability

Every change is traceable from ticket to deployment with full audit logs.

Source Code Management & Access Control

All source code is managed in Azure DevOps Repos with role-based access control (RBAC). Branch protection policies ensure that no unreviewed or unverified code can be merged into protected branches.

  • Azure DevOps Repos as the single source of truth for all code
  • Role-based access control (RBAC) — least-privilege principle enforced
  • Protected branches: main, develop, release/* require PR approval
  • PR-based workflow — direct pushes to protected branches are blocked
  • Minimum 1 reviewer required; senior review mandatory for critical services
  • Branch naming conventions enforced via policy (feature/, fix/, hotfix/)
  • Commit signing encouraged; audit log retained for all repository events
  • Stale branch cleanup policy — branches inactive >30 days are flagged
Access Control Policy

External contributors and contractors are granted scoped, time-limited access only. All access is reviewed quarterly and revoked immediately upon project completion or team change.

Standard SDLC Workflow (From Task to Release)

Our CI/CD pipeline enforces a structured promotion path: Dev → QA/UAT → Production. Each stage requires explicit approvals and automated gate checks before promotion.

01: Task & Planning

Azure Boards ticket created, acceptance criteria defined, security requirements noted

02: Development

Feature branch created, code written with unit tests, Sonar pre-check run locally

03: Pull Request

PR raised, automated CI triggers, peer review completed, quality gates must pass

04: Dev Deploy

Merged to develop branch, auto-deployed to Dev environment, smoke tests run

05: QA / UAT

Promoted to QA after approval, functional & regression tests, UAT sign-off required

06: Release Branch

Release branch cut, final security scan, release notes generated, change ticket raised

07: Production

Deployment approval gate, versioned artifact deployed, health checks validated

08: Post-Deploy

Monitoring alerts active, rollback plan confirmed, deployment record closed

Approval Gates

Each environment promotion (Dev → QA, QA → Production) requires an explicit approval from a designated approver in Azure DevOps. Production deployments additionally require a change management ticket and a rollback plan to be documented before deployment proceeds.

Automated Code Quality Analysis (Sonar)

SonarQube is integrated directly into the CI pipeline. Every pull request triggers a full static analysis scan. Merges and deployments are blocked automatically when quality thresholds are not met.

Quality Gate Enforcement

Merge and deploy are blocked when any threshold fails

Code Coverage

≥ 80%

Duplicated Lines

< 3%

Maintainability Rating

A

Reliability Rating

A

Security Rating

A

Security Hotspots

0 unreviewed

  • Sonar scan runs automatically on every PR — results posted as PR comments
  • New code must meet quality gate independently of legacy code debt
  • Technical debt is tracked and allocated in sprint planning
  • OWASP Top 10 vulnerability patterns flagged and blocked automatically
  • Dependency vulnerability scanning (npm audit / OWASP Dependency-Check) integrated
  • Code smell and complexity metrics tracked over time with trend reporting

Security Controls Embedded in the Pipeline

SonarQube is integrated directly into the CI pipeline. Every pull request triggers a full static analysis scan. Merges and deployments are blocked automatically when quality thresholds are not met.

Secret Management
  • Secrets never stored in source code — enforced by pre-commit hooks
  • Azure Key Vault / secure secret store for all credentials
  • Secret scanning runs on every commit (git-secrets / truffleHog)
  • Rotation policies enforced for all service credentials
SAST & DAST
  • Static Application Security Testing (SAST) via SonarQube on every PR
  • Dynamic Application Security Testing (DAST) on QA environment
  • Container image scanning before deployment (Trivy / Snyk)
  • Infrastructure-as-Code (IaC) security scanning (Checkov)
Access & Identity
  • MFA enforced for all Azure DevOps and cloud console access
  • Service principals used for pipeline authentication — no human credentials
  • Just-in-time (JIT) access for production environments
  • All privileged actions logged and alerted
Dependency Security
  • Third-party dependency audit on every build
  • Approved dependency list maintained and reviewed quarterly
  • Critical CVEs trigger immediate hotfix workflow
  • License compliance checked for all open-source packages

Performance & Optimization Standards

Performance is a first-class requirement. Benchmarks are defined at the start of each project and validated automatically in the CI/CD pipeline before any release is approved.

  • API response time targets defined per endpoint class (P95 ≤ 200ms for critical paths)
  • Lighthouse performance score ≥ 85 enforced for all web frontends
  • Load testing (k6 / JMeter) mandatory before every major release
  • Database query performance reviewed — N+1 queries flagged in code review
  • Bundle size budgets enforced in CI — builds fail if budget exceeded
  • CDN and caching strategies reviewed as part of architecture sign-off
  • Memory and CPU profiling conducted for backend services before production release
  • Core Web Vitals (LCP, FID, CLS) monitored continuously in production
Performance Regression Prevention

Automated performance benchmarks run in CI on every release branch. A regression of more than 15% in any tracked metric triggers a mandatory review before the release can proceed to production.

AI-Assisted Development (With Controls)

RannLab embraces AI-assisted development tools (GitHub Copilot, ChatGPT, etc.) to accelerate productivity. However, AI-generated code is subject to the same quality gates, security scans, and review requirements as human-written code.

AI Code Governance Policy

AI suggestions are allowed — but the same gates apply

  • AI suggestions must be reviewed and understood by the developer before committing — no blind acceptance.
  • AI-generated code passes through the same Sonar quality gates, security scans, and PR review process.
  • Sensitive logic (authentication, payments, cryptography) must be human-authored and double-reviewed.
  • Proprietary client data must never be submitted to external AI tools or cloud-based LLMs.
  • AI tool usage is logged and disclosed in PR descriptions for traceability.

Release Management & Production Deployment Standards

Production deployments follow a strict, documented process. Versioned artifacts are used for all deployments, and every release is deployed with a tested rollback plan.

Versioned Artifacts
  • Semantic versioning (SemVer) enforced for all services
  • Immutable build artifacts stored in Azure Artifacts
  • Same artifact promoted through all environments — no rebuilds
  • Docker images tagged with commit SHA and version
Rollback Readiness
  • Rollback plan documented and tested before every production release
  • Blue/green or canary deployment for zero-downtime releases
  • Database migrations are backward-compatible and reversible
  • Rollback executed within 15 minutes if critical issue detected
Change Management
  • Change request ticket raised for every production deployment
  • Deployment window communicated to stakeholders in advance
  • Emergency change process defined for critical hotfixes
  • Post-deployment review completed within 24 hours
Monitoring & Alerting
  • Health checks and smoke tests run automatically post-deployment
  • Alerts configured for error rate, latency, and availability
  • On-call rotation defined for production incidents
  • Incident response runbooks maintained and reviewed quarterly

Compliance, Reporting & Audit Readiness

RannLab maintains full audit traceability from requirement to production deployment. All pipeline events, approvals, and security scan results are retained and available for compliance reporting.

  • Full audit trail: every commit, PR, approval, and deployment is logged with timestamps and actor identity
  • SonarQube scan reports retained per release for compliance evidence
  • Security scan results (SAST, DAST, dependency) archived with each release artifact
  • Access control reviews conducted quarterly — access logs available on demand
  • Change management records linked to deployment artifacts for traceability
  • GDPR and data privacy controls reviewed as part of architecture sign-off for applicable projects
  • ISO 27001 / SOC 2 aligned practices for enterprise and regulated-industry clients
  • Penetration testing conducted annually or per client requirement
Standard Deliverables per Release
Code Quality ReportSonarQube scan results with quality gate statusEngineering Lead
Security Scan SummarySAST, DAST, and dependency vulnerability reportSecurity Team
Test Coverage ReportUnit, integration, and E2E test resultsQA Lead
Release NotesFeatures, fixes, known issues, and rollback instructionsProduct Owner
Deployment RecordArtifact version, deployment time, approver, and health check resultsDevOps Engineer
Change TicketApproved change request with risk assessment and rollback planChange Manager

Contact

Have questions about our development standards, security practices, or want to discuss a project? Our engineering team is happy to walk you through our processes in detail.

Email Us

For security & compliance inquiries

Call Us

Mon–Fri, 9 AM – 6 PM IST

Start a Conversation
View Our Services

Send Us a Message

Fill out the form below and we’ll get back to you within 2 hours
By submitting this form, you agree to our privacy policy and terms of service.