Ensure that default repository branches are protected.
Checks that validate protections have been enabled on repository default branch. These protections are requirements for preventing unauthorized changes to repository content.
Branch Protection Checks¶
Missing Repository Branch Protection¶
Checks for GitHub repositories that do not have any Branch Protection configured.
Allows Deletions of Default Branch¶
Checks for repositories that allow deletion of the default branch from Git.
Allows Force Pushes¶
Checks for repository config that allows force pushes to default branch.
Allows Non-Linear History¶
Checks for repository config that allows non-linear history (merge commits) to be pushed to default branch.
Allows Unresolved Conversations¶
Checks for repository config that does not require all conversations to be resolved before merging.
No Code Owners Required¶
Checks for repository config that does not require reviews from a designated code owner. If no codeowners set for repository, this is ignored.
No Commit Signature Required¶
Checks for repository config that does not require commits to be cryptographically signed. Commit signature helps in preventing impersonation of git users.
Protections not Enforced for Admins¶
Checks that the branch protection settings are enforced for regular users and repository administrators.
Stale Reviews Remain Valid¶
Checks for repository config that keeps review approvals even after new commits are pushed in the Pull Request.
No Approvals Required¶
Checks for repository config that requires no (zero) approving review before merging a Pull Request to default branch.
No Status Checks Required¶
Checks for repository config that requires no (zero) status checks to pass before a Pull Request can be merged.
Allows Reviewer to Self-Review Their Own Changes¶
Checks for repository config that allows a Pull Request reviewer to push new commits that bypass otherwise enforced peer review approval.