Ensure GitHub branch protection rules requires signed commits

Error: GitHub branch protection rules do not include signed commits
Bridgecrew Policy ID: BC_REPO_GITHUB_1 or BC_REPO_GITHUB_TF_4
Checkov Check ID: CKV_GITHUB_5 or CKV_GIT_6
Severity: LOW

GitHub branch protection rules do not include signed commits

Description

In GitHub, Branch Protection Rules define whether collaborators can delete or force push to the branch and set requirements for any pushes to the branch, such as passing status checks or a linear commit history.

When you enable required commit signing on a branch, contributors and bots can only push commits that have been signed and verified to the branch. If a collaborator pushes an unsigned commit to a branch that requires commit signatures, the collaborator will need to rebase the commit to include a verified signature, then force push the rewritten commit to the branch.

Fix - Buildtime

Terraform

  • Resource: github_branch_protection, github_branch_protection_v3
  • Attribute: require_signed_commits
resource "github_branch_protection_v3" "example" {
...
+  require_signed_commits = true
}