Ensure GitHub branch protection dismisses stale review on new commit

Description

This policy checks whether GitHub branch protection is configured to dismiss stale reviews when a new commit is made. Dismissing stale reviews ensures that the review process is updated and relevant, reducing the risk of outdated or irrelevant feedback being considered. This is important because it helps maintain the integrity and effectiveness of the code review process, which is crucial for identifying and addressing security vulnerabilities and bugs. By dismissing stale reviews, developers can ensure that their code is reviewed based on the most up-to-date changes.

Code Example

github

required_pull_request_reviews {
  dismiss_stale_reviews = true
}

Remediation

Enable the 'Dismiss stale pull request reviews on push' option in the GitHub branch protection settings.

Rule Details

Field	Value
ID	IAC-1049
Severity	MEDIUM
IaC Type	github_configuration
Frameworks	*
Checkov ID	CKV_GITHUB_11

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Ensure GitHub branch protection dismisses stale review on new commit

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Ensure GitHub branch protection dismisses stale review on new commit ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Ensure GitHub branch protection dismisses stale review on new commit

Description

Code Example

Remediation

Rule Details

References