Profile Applicability:
Level 1
Description:
Deletion of branches, especially protected or main branches, must be restricted or denied to prevent accidental or malicious loss of important code and history. This control helps maintain repository integrity and preserves valuable development work.
Rationale:
Preventing branch deletions safeguards the codebase from unintended data loss and supports traceability by retaining full branch history. It ensures continuity in development workflows and aligns with audit and compliance requirements.
Impact:
Pros:
Protects against accidental or malicious branch removal.
Maintains comprehensive project history and audit trails.
Supports stable development and release processes.
Cons:
May limit cleanup of obsolete branches if overly restrictive.
Requires proper processes for authorized branch deletions when necessary.
Default value:
By default, some repositories allow all users or administrators to delete branches.
Audit:
Review repository settings to confirm branch deletion restrictions. Check logs for any unauthorized or accidental branch deletions.
Remediation:
Implement branch protection policies to deny branch deletions on critical branches. Define and communicate procedures for authorized branch removal. Monitor repository activities for compliance.
References:
GitHub Protected Branches: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/about-protected-branches
GitLab Protected Branches: https://docs.gitlab.com/ee/user/project/protected_branches.html
CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/