Ensure GitHub branch protection restricts who can dismiss PR reviews
Description
This policy checks whether GitHub branch protection restricts who can dismiss pull request reviews. It is essential to restrict dismissal permissions to maintain the integrity of the code review process and prevent unauthorized changes. By limiting dismissal permissions, you can ensure that only authorized users can dismiss reviews, reducing the risk of malicious or accidental changes. This rule helps prevent potential security vulnerabilities by enforcing proper code review practices.
Code Example
github
required_pull_request_reviews {
dismissal_restrictions {
users = ["username1", "username2"]
teams = ["team-slug1", "team-slug2"]
}
}Remediation
Restrict who can dismiss pull request reviews by setting dismissal restrictions in the branch protection settings.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1050 |
| Severity | MEDIUM |
| IaC Type | github_configuration |
| Frameworks | * |
| Checkov ID | CKV_GITHUB_12 |