GitHub pull request configurations defined in Terraform have less than 2 approvals
Description
Pull request approvals are a critical part of the GitHub workflow, serving as a quality control measure to ensure code is reviewed and vetted before it is merged. Requiring at least two approvals for a pull request before merging can enhance the security and integrity of the code by ensuring that at least two separate individuals have reviewed the changes.
This policy checks that GitHub branch protection rules require at least two approvals on pull requests, which helps prevent unreviewed code from being merged into protected branches.
Code Example
hcl
resource "github_branch_protection" "example" {
repository_id = github_repository.example.node_id
pattern = "main"
required_pull_request_reviews {
+ required_approving_review_count = 2
# ... other configurations ...
}
# ... other branch protection settings ...
}Remediation
Terraform
Ensure your GitHub branch protection rules specify that at least 2 approvals are required before a pull request can be merged.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1036 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_GIT_5 |