CICD-SEC-1 — Admins can bypass branch protection

Field	Value
Category	`CICD-SEC-1`
Severity	HIGH
Auto-fix	✗
Source	Repository configuration

What the check does

Reads the branch protection rule and reports when enforce_admins.enabled is false.

Why it matters

Admin bypass turns every protection on the branch into “soft” enforcement:

A compromised admin PAT lets the attacker push directly to main.
Even well-intentioned admins routinely click “merge anyway” past failing checks — which then erodes the entire culture of CI as a gate.
This is the single biggest gap between a paper policy (“we require reviews”) and an enforced one.

GitHub’s own guidance is that branch protection should apply to everyone.

How to fix

Settings → Branches → edit the rule → enable Do not allow bypassing the above settings. (This is the modern UI label for enforce_admins.) Make sure no one is in the bypass list either.

CICD-SEC-1 — Default branch does not require status checks to pass CICD-SEC-1 — CODEOWNERS exists but their review is not required

⌘I

Documentation Index

​What the check does

​Why it matters

​How to fix

What the check does

Why it matters

How to fix