Ensure GitHub branch protection rules requires signed commits
Error: GitHub branch protection rules do not include signed commits
Bridgecrew Policy ID: BC_REPO_GITHUB_1 or BC_REPO_GITHUB_TF_4
Checkov Check ID: CKV_GITHUB_5 or CKV_GIT_6
Severity: LOW
GitHub branch protection rules do not include signed commits
Description
In GitHub, Branch Protection Rules define whether collaborators can delete or force push to the branch and set requirements for any pushes to the branch, such as passing status checks or a linear commit history.
When you enable required commit signing on a branch, contributors and bots can only push commits that have been signed and verified to the branch. If a collaborator pushes an unsigned commit to a branch that requires commit signatures, the collaborator will need to rebase the commit to include a verified signature, then force push the rewritten commit to the branch.
Fix - Buildtime
Terraform
- Resource: github_branch_protection, github_branch_protection_v3
- Attribute: require_signed_commits
resource "github_branch_protection_v3" "example" {
...
+ require_signed_commits = true
}
Updated 6 months ago