Why SonarQube Misses Mock Data in Production (and what to add)

SonarQube is excellent at detecting code smells, bugs, and vulnerabilities. But it cannot detect mock data in production because mocks are valid code.

What SonarQube catches

• Code complexity and maintainability issues
• Common bugs and anti-patterns
• Security vulnerabilities
• Code coverage gaps
• Duplications and dead code

What SonarQube misses

• Mock libraries imported in production builds
• Fallback clients returning fake data
• Missing env vars triggering stubs
• Placeholder handlers in deployed routes
• Build artifacts containing fixtures

The blind spot

SonarQube analyzes static code structure. Mock data in production is a runtime behavior issue. A function that returns fake data is syntactically correct, type-safe, and passes all SonarQube rules.

The solution: Add a reality gate

Complement SonarQube with a deploy gate that checks:

• Import graph for mock/stub patterns
• Build artifact inspection
• Runtime configuration validation
• Endpoint wiring verification

Practical example

# SonarQube scan (existing) sonar-scanner # Add reality gate (new) npx guardrail mockproof npx guardrail gate

Result

SonarQube ensures code quality. The reality gate ensures production reality. Together they prevent both bad code and fake data.

Some teams use guardrail to detect this automatically in CI.