Verify that Github Branch Protection is Properly Configured
Description
Branch protection is an important GitHub feature that enables you to protect git branches from unauthorized modifications. By setting branch protection, you can define whether collaborators can delete or force push to the branch, as well as set requirements—such as the minimum number of approvers for PRs and a list of mandatory status checks—for any pushes to that branch.
Stack layer | Security domain | Security tool initiated by this item |
---|---|---|
CI/CD Security | GitHub Branch Protection | bp-github-checker (Jit Internal Tool) |
Configuration
- Required number of approvals — When enabled, Jit checks if pull requests targeting the default branch require this number of approvals before they can be merged.
- Require status checks — When enabled, Jit checks if these status checks must pass before pull requests can be merged to the default branch.
Recommended configuration
Jit strongly recommends all users use this requirement to validate branch protection rules requiring passage of the Jit Security status check before merging.
Remediation
Jit provides repository-level remediation scripts for the following branch protection misconfigurations:
Finding type | What will Jit do? | Why should you fix it? |
---|---|---|
Wrong number of approvals. | Create a script that updates the number of approvals. | Setting the number of approvals that must pass is necessary to safeguard the quality of your code without creating new security issues. |
Missing checks. | Create a script that updates required checks. | Setting the required checks that must pass is necessary to safeguard the quality of your code without creating new security issues. |
From the Branch Protection GitHub action, download the script and run it from a local environment with the ${github_username}:${github_pat} as an argument, where:
- ${github_username} is your GitHub username.
- ${github_pat} is your personal access token.
Note
The personal access token requires full control permissions on your repositories.
Updated about 1 year ago