Ensure GitHub branch protection requires push restrictions
Description
This policy checks whether GitHub branch protection requires push restrictions, ensuring that only authorized users or teams can push changes to protected branches. This is important because it helps prevent unauthorized changes to critical code, reducing the risk of security vulnerabilities or malicious activity. By enforcing push restrictions, organizations can maintain the integrity and security of their codebase. This rule is particularly relevant for organizations that use GitHub as their version control system.
Code Example
github
PUT /repos/{owner}/{repo}/branches/{branch}/protection
{
"restrictions": {
"users": [
"username"
],
"teams": [
"team_slug"
],
"apps": [
"app_slug"
]
}
}Remediation
Enable branch protection and require push restrictions for the branch.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1055 |
| Severity | MEDIUM |
| IaC Type | github_configuration |
| Frameworks | * |
| Checkov ID | CKV_GITHUB_17 |