GitHub repository defined in Terraform does not have GPG signatures for all commits
Description
Requiring signed commits on GitHub is a security practice that ensures every commit is signed with a GPG or S/MIME signature, verifying the identity of the commit author and ensuring that the commit hasn't been tampered with after it was signed. This policy ensures that branch protection rules enforce a requirement for signed commits.
When branch protection rules are configured to require signed commits, it prevents unverified commits from being pushed to the protected branches, thus safeguarding the codebase against unauthorized modifications.
Code Example
hcl
resource "github_branch_protection" "example" {
repository_id = github_repository.example.node_id
pattern = "main"
# Enforce all commits to be signed
+ require_signed_commits = true
# ... other branch protection settings ...
}Remediation
Terraform
To comply with this policy, you must enable the requirement for signed commits in your GitHub branch protection rules.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1037 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, |
| Checkov ID | CKV_GIT_6 |