Your CI pipeline turns green. You merge. You deploy. Three hours later, production is on fire with a bug that “should have been caught in testing.”
This scenario happens in nearly every engineering team at some frequency, regardless of how mature the CI process is. The pipeline was not lying maliciously - it was telling you exactly what you asked it to check. The problem is what you forgot to ask.
The Most Common Ways CI Lies
Flaky Tests That Always Retry to Green
A test that fails 20% of the time and is configured to automatically retry is not a passing test. It is an untreated bug.
Teams add retries to CI when they are under deployment pressure and flaky tests are blocking merges. The retry “fixes” the immediate problem - the build goes green and the merge happens. The underlying issue, which is usually a race condition, dependency on external state, or timing-sensitive assertion, gets filed under “known flaky test” and is never fixed.
Over time, the retry budget grows. A pipeline with 40 retried tests is essentially telling you nothing about the correctness of those 40 test paths.
Fix: Remove retries. Treat flaky tests as P1 bugs. A test that cannot reliably reproduce a pass/fail result is worse than no test for that path.
Test Coverage Numbers Without Mutation Testing
A 90% code coverage metric sounds strong. But coverage measures whether lines were executed, not whether they were meaningfully tested.
def divide(a, b):
return a / b
def test_divide():
result = divide(10, 2)
# No assertion - but coverage says this line was "covered"
Mutation testing addresses this by making small changes to your code (flipping comparisons, removing return values) and checking whether tests fail. If a test does not fail when you delete a return statement, it is not actually testing the behavior.
Tools like Stryker (JavaScript), mutmut (Python), and pitest (Java) run mutation tests. They are slow, so run them on pull requests touching specific modules rather than the full codebase. The results are often sobering.
Environment Differences
CI environments differ from production in ways that matter:
| Difference | Common consequence |
|---|---|
| Lower resource limits | Services that work fine with 8GB RAM fail with 512MB |
| Mocked external services | Integration paths that work in CI fail in production |
| Different OS/kernel version | File descriptor limits, socket behaviors |
| Different database version | Index behavior, query plan differences |
| No persistent state | Migrations that fail on existing data pass on fresh DB |
The most dangerous is the mocked external service. A CI run that tests your Stripe integration by mocking all Stripe calls is testing your mock, not your Stripe integration.
Fix: Use real test instances of external dependencies. Stripe has a test mode. AWS has LocalStack. Databases should be the same version in CI and production. Run at least one CI stage with realistic resource limits.
Dependency Version Pinning - or Lack of It
If your package.json or requirements.txt uses unpinned versions (^4.2.0 or >=1.0), your CI builds are not reproducible. A dependency update that rolls out on npm can break your build without any code change - or more dangerously, can introduce a breaking change that your tests do not catch.
Fix: Pin all dependencies to exact versions. Use a dependency update bot (Dependabot, Renovate) to automate the update process with PR-level testing. Lock files alone are not sufficient for all package managers.
Missing Integration Test Stage
Unit tests test units. They do not test the system. A common CI structure:
- Lint
- Unit tests
- Build
- Deploy
There is no integration test stage. The unit tests all pass, the build succeeds, and a completely broken API interaction hits production.
Fix: Add an integration test stage that:
- Stands up a realistic version of your service (database, cache, message queue)
- Runs tests against the actual HTTP endpoints or function interfaces
- Tests the flows users actually execute, not individual functions in isolation
The False Confidence Metric Problem
Most CI dashboards show build pass rate. What they should show:
- Mean time to detection - how quickly does CI catch a real bug?
- Escaped defects - how many bugs reach production that CI did not catch?
- False positive rate - how often does CI fail for reasons unrelated to code quality?
A CI pipeline with 99% pass rate and high escaped defect rate is performing worse than a pipeline with 95% pass rate and low escaped defect rate. Optimizing for the metric rather than the outcome is how teams end up with a green dashboard and broken production.
The Right Structure for a Trustworthy Pipeline
Push → Lint + Type Check → Unit Tests (fast, <3 min)
→ Integration Tests (medium, <10 min)
→ E2E Tests on Staging (slow, <30 min)
→ Security Scan
→ Performance Baseline Check
→ Deploy to Production
Each stage has a clear responsibility. Failures in each stage have different implications. A lint failure means nothing is broken. An E2E failure on staging means something real is broken.
Bottom Line
CI pipelines give you confidence commensurate with what you test, not what you want to be true. The structural gaps - flaky test retries, coverage without assertions, environment differences, missing integration stages - each create categories of bugs that will reach production.
Audit your pipeline against each of these gaps this week. The investment in making CI trustworthy pays for itself with the first production incident it prevents.
Comments