Skip to main content
FieldValue
CategoryCICD-SEC-1
SeverityMEDIUM
Auto-fix
SourceRepository configuration

What the check does

Reads the branch protection rule and reports when required_pull_request_reviews.required_approving_review_count < 2.

Why it matters

A single required reviewer is a single point of failure. If that account is compromised, coerced, or the developer is also the PR author (rotated to a colleague who rubber-stamps), the review control collapses. Two reviewers raises the bar meaningfully — the attacker now needs collusion or two compromised accounts. Two is also the threshold most regulated industries (SOC 2, PCI, ISO 27001) treat as “meaningful peer review” rather than “advisory”.

How to fix

Settings → Branches → edit the rule → set Required approving reviews to 2 or more. For high-impact branches (release branches, infrastructure repos), consider also enabling Require review from Code Owners and adding a CODEOWNERS file.