Profile Applicability:
Level 1
Description:
All changes made to branch protection rules—such as enabling/disabling protections, modifying required reviews, or changing access restrictions—must be logged and auditable. Maintaining an audit trail ensures visibility into who made changes, when, and what was modified, supporting accountability and security governance.
Rationale:
Auditing changes to branch protection rules helps detect unauthorized or erroneous modifications that could weaken repository security. It strengthens change management, supports compliance requirements, and enhances the overall security posture of the development process.
Impact:
Pros:
Provides traceability of configuration changes.
Enables detection of unauthorized or risky changes.
Supports compliance and governance frameworks.
Enhances repository security and integrity.
Cons:
Requires configuration of logging and monitoring systems.
May generate additional audit data to review.
Default value:
By default, some platforms may not log or audit branch protection rule changes comprehensively.
Audit:
Review audit logs and change histories for branch protection settings. Verify that all modifications are recorded with user identity and timestamps.
Remediation:
Enable and configure audit logging for repository settings and branch protection rule changes. Implement monitoring and alerting for unauthorized modifications. Educate administrators on the importance of auditing these changes.
References:
GitHub Audit Logs: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/audit-logs
GitLab Audit Events: https://docs.gitlab.com/ee/administration/audit_event_logging.html
CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/