Ensure inactive branches are reviewed and removed periodically
Description
This policy checks whether inactive branches in a GitHub repository have been reviewed and removed periodically. Inactive branches that are not updated for 60 days may pose a security risk as they can contain outdated or vulnerable code. It is essential to review and remove these branches to prevent potential security vulnerabilities and maintain a clean repository. By removing inactive branches, developers can reduce the attack surface and minimize the risk of outdated code being exploited.
Code Example
gh api /repos/{owner}/{repo}/git/refs/heads/{branch_name} -X DELETERemediation
To fix this issue, remove or update inactive branches that have not been updated for 60 days. This can be done by logging into the GitHub repository, identifying inactive branches, and either deleting them or updating the code to ensure it is current and secure.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1053 |
| Severity | MEDIUM |
| IaC Type | github_configuration |
| Frameworks | * |
| Checkov ID | CKV_GITHUB_15 |