Profile Applicability:
Level 1
Description:
All code merges must trigger automated scans for potential risks, including security vulnerabilities, code quality issues, and compliance violations. This process should be integrated into the development workflow to identify and mitigate risks before changes are merged into the main codebase.
Rationale:
Automatically scanning code merges helps detect vulnerabilities and defects early, reducing the likelihood of introducing security risks or unstable code. It promotes secure development practices, improves code quality, and supports regulatory compliance and audit readiness.
Impact:
Pros:
Early identification of security and quality issues.
Reduces risk of vulnerabilities in production.
Supports continuous integration and secure development.
Enhances compliance with security standards.
Cons:
Requires integration and maintenance of scanning tools.
May increase merge time due to scanning processes.
Default value:
Many repositories do not have automated risk scanning configured for merges by default.
Audit:
Review CI/CD pipeline configurations to verify automated scans run on merge requests or pull requests. Check scan reports and merge logs for enforcement.
Remediation:
Integrate static application security testing (SAST), code quality analysis, and compliance checks into merge workflows. Configure branch protection to require passing scans before merges. Train teams on the importance of automated risk scanning.
References:
OWASP Static Code Analysis Tools: https://owasp.org/www-project-static-code-analysis-tools/
GitHub Actions Security Scanning: https://docs.github.com/en/code-security/secure-coding
CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/