Skip to content

Branch Protection

Ensure that default repository branches are protected.

Checks that validate protections have been enabled on repository default branch. These protections are requirements for preventing unauthorized changes to repository content.

Branch Protection Checks

Missing Repository Branch Protection

Checks for GitHub repositories that do not have any Branch Protection configured.

Allows Deletions of Default Branch

Checks for repositories that allow deletion of the default branch from Git.

Allows Force Pushes

Checks for repository config that allows force pushes to default branch.

Allows Non-Linear History

Checks for repository config that allows non-linear history (merge commits) to be pushed to default branch.

Allows Unresolved Conversations

Checks for repository config that does not require all conversations to be resolved before merging.

No Code Owners Required

Checks for repository config that does not require reviews from a designated code owner. If no codeowners set for repository, this is ignored.

No Commit Signature Required

Checks for repository config that does not require commits to be cryptographically signed. Commit signature helps in preventing impersonation of git users.

Protections not Enforced for Admins

Checks that the branch protection settings are enforced for regular users and repository administrators.

Stale Reviews Remain Valid

Checks for repository config that keeps review approvals even after new commits are pushed in the Pull Request.

No Approvals Required

Checks for repository config that requires no (zero) approving review before merging a Pull Request to default branch.

No Status Checks Required

Checks for repository config that requires no (zero) status checks to pass before a Pull Request can be merged.

Allows Reviewer to Self-Review Their Own Changes

Checks for repository config that allows a Pull Request reviewer to push new commits that bypass otherwise enforced peer review approval.