Profile Applicability:
Level 1
Description:
Open Git branches must be synchronized with the latest changes from the target base branch (e.g., main or master) before being merged. This ensures that the code being merged is tested and compatible with the most current version of the codebase, reducing integration conflicts and maintaining stability.
Rationale:
Requiring branches to be up to date before merging minimizes merge conflicts and integration errors. It ensures that changes are validated against the latest code, improving code quality, reducing regression risks, and supporting smooth collaboration among development teams.
Impact:
Pros:
Prevents merge conflicts and integration issues.
Ensures compatibility with the latest codebase.
Supports stable and reliable software releases.
Encourages continuous synchronization and testing.
Cons:
May introduce delays if base branch changes frequently.
Requires developer discipline to regularly update branches.
Default value:
Some repositories allow merging branches without ensuring they are updated with the latest base branch changes.
Audit:
Verify repository or pull request settings enforce branch updates before merges. Check merge records to confirm branches were up to date at merge time.
Remediation:
Configure branch protection or merge policies to require branches to be rebased or merged with the latest base branch before merging. Communicate policies to development teams and provide guidance on updating branches.
References:
GitHub Branch Protection Rules: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-protected-branches
GitLab Merge Request Settings: https://docs.gitlab.com/ee/user/project/merge_requests/
CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/