Profile Applicability:
Level 1
Description:
Any code change affecting files or directories assigned to a specific code owner must receive explicit review and approval from that code owner before merging or deployment. This ensures that experts responsible for sensitive or critical code verify all modifications to maintain quality and security.
Rationale:
Requiring code owner reviews guarantees that changes impacting critical or sensitive areas undergo thorough evaluation by knowledgeable individuals. This reduces the risk of introducing errors, vulnerabilities, or misconfigurations and supports accountability and compliance with organizational policies.
Impact:
Pros:
Ensures expert review of changes in sensitive areas.
Enhances code quality and security.
Increases accountability and traceability.
Helps meet audit and compliance requirements.
Cons:
May introduce delays if code owners are unavailable.
Requires maintenance of code ownership mappings.
Default value:
Without enforced code owner reviews, changes to sensitive code may be merged without proper expert scrutiny.
Audit:
Verify that pull request or merge request settings enforce mandatory code owner approvals for affected files. Review logs to confirm approvals by designated code owners.
Remediation:
Configure repository settings to require code owner reviews before merging changes to owned files or directories. Educate development teams on the importance of this control and maintain accurate code ownership configurations.
References:
GitHub Branch Protection with CODEOWNERS: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/about-code-owners
GitLab Code Owners and Approvals: https://docs.gitlab.com/ee/user/project/code_owners.html
CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/