When a QualityGate is defined in SonarQube, it's usually set with Absolute Values. EG: Fail if the number of bugs is greater than 10.
So, as long as there are less than 10 bugs, it will pass.
What then happens in this scenario?
Scan No1 has 3 bugs: QualityGate PASSES
Scan No2 has 3 bugs: QualityGate PASSES
Scan No3 has 9 bugs: QualityGate PASSES
Technically, Scan No3, has introduced 6 additional bugs but still passes because the threshold for failing the Quality Gate is an absolute value of 10 bugs, which potentially means that new vulnerabilities can be added as long as it doesn't breach the predetermined threshold.
Is there a way to fail the Quality Gate based on metrics extracted from a previous analysis?
So...
Scan No1 has 3 bugs: QualityGate PASSES
Scan No2 has 3 bugs: QualityGate PASSES
Scan No3 has 9 bugs: QualityGate FAILS
Scan No4 has 2 bugs: QualityGate PASSES
This way, code progressively becomes cleaner.
you can add metrics checks on "new code" instead of "over all code"