Ensure each Repository has branch protection associated
Description
This policy checks whether each GitHub repository has branch protection associated with it. Branch protection is crucial for preventing unauthorized changes to sensitive codebases. Without branch protection, an attacker could push malicious code directly to a protected branch, potentially leading to security vulnerabilities or data breaches. By ensuring that each repository has branch protection, organizations can enforce code review and approval processes, reducing the risk of security incidents.
Code Example
terraform
resource "github_branch_protection" "example" {
repository = github_repository.example.name
pattern = "main"
enforce_admins = true
required_status_checks {
strict = true
contexts = ["continuous-integration/check"]
}
required_pull_request_reviews {
required_approving_review_count = 1
}
}Remediation
Create a branch protection rule for the repository, specifying the patterns of branches to protect and the required approvals or restrictions.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1038 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | github_repository |
| Checkov ID | CKV2_GIT_1 |