Profile Applicability:
Level 1
Description:
Branch protection rules, such as required reviews, status checks, and restrictions on force pushes or deletions, must apply equally to administrator accounts. This control ensures that administrators cannot bypass important safeguards intended to maintain code quality and security.
Rationale:
Enforcing branch protection rules on administrators prevents circumvention of development policies and reduces the risk of accidental or malicious code changes. It maintains consistent security controls across all users, ensuring accountability and compliance.
Impact:
Pros:
Maintains consistent security and quality controls.
Prevents privilege misuse by administrators.
Enhances auditability and accountability.
Supports compliance with organizational policies.
Cons:
May limit administrators’ emergency actions or rapid fixes.
Requires balancing security and operational flexibility.
Default value:
Some repositories exclude administrators from branch protection rules by default, allowing them to bypass restrictions.
Audit:
Review repository settings to verify branch protection rules apply to administrators. Check logs for any bypass actions performed by administrators.
Remediation:
Configure branch protection policies to include administrators in enforcement. Define clear escalation procedures for exceptions. Educate administrators about the importance of these controls.
References:
GitHub Branch Protection Rules: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/about-protected-branches
GitLab Protected Branches and Permissions: https://docs.gitlab.com/ee/user/project/protected_branches.html
CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/