Profile Applicability:
Level 1

Description:
 Access to dismiss or revoke code review approvals must be restricted to authorized personnel only. This control prevents unauthorized users from bypassing the code review process by removing approvals, thereby maintaining the integrity and accountability of the software development lifecycle.

Rationale:
 Restricting dismissal permissions safeguards the review process by ensuring only trusted, designated users can invalidate approvals. This reduces the risk of malicious or accidental bypass of quality and security checks, upholds audit and compliance requirements, and enforces segregation of duties within development teams.

Impact:
 Pros:

  • Protects the integrity of the code review process.

  • Prevents unauthorized bypass of quality and security controls.

  • Enhances accountability and traceability.

  • Supports compliance with security policies and regulations.

Cons:

  • Requires proper role definition and management.

  • May introduce delays if access is overly restrictive.

Default value:
 By default, some repositories or version control platforms may allow broad permissions to dismiss reviews without restrictions.

Audit:
 Review repository permission settings to ensure only authorized users or groups can dismiss code review approvals. Check audit logs for dismissal activities and verify compliance with access policies.

Remediation:
 Configure repository or code management platform permissions to limit dismissal of code review approvals to specific roles or individuals. Implement role-based access control (RBAC) and regularly review access privileges. Train teams on approval and dismissal policies.

References:

  1. GitHub Branch Protection Rules and Permissions: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/about-protected-branches

  2. GitLab Permissions and Approvals: https://docs.gitlab.com/ee/user/permissions.html#merge-request-approvals

  3. CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Auditt logs :  https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/