diff --git a/Jenkinsfile b/Jenkinsfile
index 25ae81b..85b67f2 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -35,7 +35,10 @@ spec:
   environment {
     SUITE_NAME = 'ananke'
     PUSHGATEWAY_URL = 'http://platform-quality-gateway.monitoring.svc.cluster.local:9091'
+    QUALITY_GATE_SONARQUBE_ENFORCE = '1'
     QUALITY_GATE_SONARQUBE_REPORT = 'build/sonarqube-quality-gate.json'
+    QUALITY_GATE_IRONBANK_ENFORCE = '1'
+    QUALITY_GATE_IRONBANK_REQUIRED = '0'
     QUALITY_GATE_IRONBANK_REPORT = 'build/ironbank-compliance.json'
   }
 
@@ -223,7 +226,95 @@ PY
         container('publisher') {
           sh '''
             set -eu
-            test "$(cat build/quality-gate.rc 2>/dev/null || echo 1)" -eq 0
+            gate_rc="$(cat build/quality-gate.rc 2>/dev/null || echo 1)"
+            fail=0
+            if [ "${gate_rc}" -ne 0 ]; then
+              echo "quality gate failed with rc=${gate_rc}" >&2
+              fail=1
+            fi
+
+            enabled() {
+              case "$(printf '%s' "${1:-}" | tr '[:upper:]' '[:lower:]')" in
+                1|true|yes|on) return 0 ;;
+                *) return 1 ;;
+              esac
+            }
+
+            if enabled "${QUALITY_GATE_SONARQUBE_ENFORCE:-1}"; then
+              sonar_status="$(python3 - <<'PY'
+import json
+from pathlib import Path
+
+path = Path("build/sonarqube-quality-gate.json")
+if not path.exists():
+    print("missing")
+    raise SystemExit(0)
+try:
+    payload = json.loads(path.read_text(encoding="utf-8"))
+except Exception:  # noqa: BLE001
+    print("error")
+    raise SystemExit(0)
+status = (payload.get("status") or payload.get("projectStatus", {}).get("status") or payload.get("qualityGate", {}).get("status") or "").strip().lower()
+print(status or "missing")
+PY
+)"
+              case "${sonar_status}" in
+                ok|pass|passed|success) ;;
+                *)
+                  echo "sonarqube gate failed: ${sonar_status}" >&2
+                  fail=1
+                  ;;
+              esac
+            fi
+
+            ironbank_required="${QUALITY_GATE_IRONBANK_REQUIRED:-0}"
+            if [ "${PUBLISH_IMAGES:-false}" = "true" ]; then
+              ironbank_required=1
+            fi
+            if enabled "${QUALITY_GATE_IRONBANK_ENFORCE:-1}"; then
+              supply_status="$(python3 - <<'PY'
+import json
+from pathlib import Path
+
+path = Path("build/ironbank-compliance.json")
+if not path.exists():
+    print("missing")
+    raise SystemExit(0)
+try:
+    payload = json.loads(path.read_text(encoding="utf-8"))
+except Exception:  # noqa: BLE001
+    print("error")
+    raise SystemExit(0)
+compliant = payload.get("compliant")
+if compliant is True:
+    print("ok")
+elif compliant is False:
+    print("failed")
+else:
+    status = str(payload.get("status") or payload.get("result") or payload.get("compliance") or "").strip().lower()
+    print(status or "missing")
+PY
+)"
+              case "${supply_status}" in
+                ok|pass|passed|success|compliant) ;;
+                not_applicable|na|n/a)
+                  if enabled "${ironbank_required}"; then
+                    echo "supply chain gate required but status=${supply_status}" >&2
+                    fail=1
+                  fi
+                  ;;
+                *)
+                  if enabled "${ironbank_required}"; then
+                    echo "supply chain gate failed: ${supply_status}" >&2
+                    fail=1
+                  else
+                    echo "supply chain gate not passing (${supply_status}) but not required for this run" >&2
+                  fi
+                  ;;
+              esac
+            fi
+
+            exit "${fail}"
           '''
         }
       }