CICD-SEC-1 — Default branch allows force pushes

Field	Value
Category	`CICD-SEC-1`
Severity	HIGH
Auto-fix	✗
Source	Repository configuration

What the check does

Reads the default branch’s protection rule and reports when allow_force_pushes.enabled is true.

Why it matters

A force-push can:

Rewrite history to remove evidence of a malicious commit.
Drop reviewed commits and replace them with unreviewed ones (the original PR review remains on the commit object that’s no longer reachable).
Defeat any audit relying on commit ordering or signed-tag pointers.

Without disabling force-push, the protections you’ve added on top (required reviews, required status checks) can be quietly bypassed in a single command from anyone with git push --force.

How to fix

Settings → Branches → edit the rule for the default branch → uncheck Allow force pushes (or set it to Everyone disabled).

CICD-SEC-1 — Default branch has no branch protection rule CICD-SEC-1 — Default branch can be deleted

⌘I

Documentation Index

​What the check does

​Why it matters

​How to fix

What the check does

Why it matters

How to fix