Profile Applicability:
Level 1

Description:
 When a code change proposal (such as a pull request or merge request) is updated with new commits or modifications, any prior approvals must be dismissed or revoked. This ensures that reviewers re-evaluate the updated changes, maintaining the integrity of the review process and preventing unreviewed code from being merged.

Rationale:
 Dismissing previous approvals after updates guarantees that reviewers assess all the latest changes thoroughly. It reduces the risk of introducing defects, vulnerabilities, or unintended behavior into the codebase without proper oversight. This practice strengthens code quality and compliance with secure development policies.

Impact:
 Pros:

  • Ensures comprehensive review of all code changes.

  • Prevents accidental merging of unreviewed updates.

  • Enhances code quality and security posture.

Cons:

  • May increase review time due to repeated approvals.

  • Requires consistent enforcement in development workflows.

Default value:
 Some version control systems or repositories may allow prior approvals to persist despite new changes, leading to potential oversight.

Audit:
 Check pull request or merge request settings to verify if approvals are dismissed automatically upon new commits. Review approval logs to confirm dismissal behavior.

Remediation:
 Configure repository settings or enforce policies that automatically dismiss prior approvals when code changes are pushed to an existing code change proposal. Educate development teams on this process to ensure compliance.

References:

  1. GitHub Documentation - Require review from Code Owners: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/about-protected-branches#require-review-from-code-owners

  2. GitLab Merge Request Approval Rules: https://docs.gitlab.com/ee/user/project/merge_requests/approvals/#resetting-approvals-when-pushing-new-commits

  3. CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/