Profile Applicability:
Level 1
Description:
The default branch (commonly "main" or "master") must have branch protection rules applied to safeguard it from unauthorized changes.These rules typically include requirements for code reviews, passing status checks, and restrictions on force pushes and deletions to maintain the integrity of the primary codebase.
Rationale:
Protecting the default branch helps prevent accidental or malicious changes that could disrupt the main codebase, ensuring stability, security, and reliability of software releases. It enforces best practices for code quality and access control on the most critical branch.
Impact:
Pros:
Maintains stability and integrity of the main codebase.
Prevents unauthorized or unreviewed changes.
Supports compliance with development and security policies.
Enhances auditability and accountability.
Cons:
May require additional configuration and oversight.
Could delay changes if protection rules are too strict.
Default value:
By default, the default branch may not have any protection rules enabled.
Audit:
Verify branch protection settings on the default branch. Confirm that protections such as required reviews and status checks are enabled and enforced.
Remediation:
Configure repository settings to enforce branch protection rules on the default branch. Educate development teams on compliance and protection policies.
References:
GitHub Protected Branches: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/about-protected-branches
GitLab Protected Branches: https://docs.gitlab.com/ee/user/project/protected_branches.html
CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/