Ensure Gitlab branch protection rules do not allow force pushes

Error: Gitlab branch protection rules force push is enabled
Bridgecrew Policy ID: BC_REPO_GITLAB_1 or BC_REPO_GITLAB_TF_1
Checkov Check ID: CKV_GITLAB_1 or CKV_GLB_2
Severity: MEDIUM

Gitlab branch protection rules force push is enabled

Description

In GitLab, permissions are fundamentally defined around the idea of having read or write permission to the repository and branches. To impose further restrictions on certain branches, they can be protected.

When you perform more complex operations, for example, squash commits, reset or rebase your branch, you must force an update to the remote branch. These operations imply rewriting the commit history of the branch. Forcing an update is not recommended when you’re working on shared branches.

You can enable force push on a protected branch, but this is ill-advised.

Fix - Buildtime

Terraform

  • Resource: gitlab_branch_protection
  • Attribute: allow_force_push
resource "gitlab_branch_protection" "BranchProtect" {
...
-  allow_force_push             = true
+  allow_force_push             = false
...
}