> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-1 — Default branch requires fewer than 2 approving reviews

> One approval is enough to merge. A single compromised or coerced reviewer defeats the gate.

| Field    | Value                    |
| -------- | ------------------------ |
| Category | `CICD-SEC-1`             |
| Severity | MEDIUM                   |
| Auto-fix | ✗                        |
| Source   | Repository configuration |

## What the check does

Reads the branch protection rule and reports when `required_pull_request_reviews.required_approving_review_count < 2`.

## Why it matters

A single required reviewer is a single point of failure. If that account is compromised, coerced, or the developer is also the PR author (rotated to a colleague who rubber-stamps), the review control collapses. Two reviewers raises the bar meaningfully — the attacker now needs collusion or two compromised accounts.

Two is also the threshold most regulated industries (SOC 2, PCI, ISO 27001) treat as "meaningful peer review" rather than "advisory".

## How to fix

Settings → Branches → edit the rule → set **Required approving reviews** to 2 or more. For high-impact branches (release branches, infrastructure repos), consider also enabling **Require review from Code Owners** and adding a `CODEOWNERS` file.
