Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt

Use this file to discover all available pages before exploring further.

FieldValue
CategoryCICD-SEC-1
SeverityHIGH
Auto-fix
SourceRepository configuration

What the check does

Calls GET /repos/{owner}/{repo}/branches/{default_branch}/protection. If GitHub returns 404, the default branch has no branch protection rule. This is read-only auditing — Pipefort never modifies your settings.

Why it matters

Branch protection is the foundation of every other CI/CD control. Without it:
  • Direct pushes bypass code review entirely.
  • A compromised developer (or stolen token) can push malicious commits straight to main.
  • Force-push and deletion are both possible, erasing audit trails.
  • Required status checks (the gate your security scans live behind) have nothing to attach to.
This maps to OWASP CICD-SEC-1 Insufficient Flow Control Mechanisms.

How to fix

In your repository on GitHub, go to Settings → Branches → Branch protection rules → Add rule. Target the default branch and at minimum enable:
  • Require a pull request before merging (with ≥ 1 required approval, ideally 2)
  • Require status checks to pass before merging (select your CI workflows)
  • Do not allow bypassing the above settings (so the rule applies to admins too)

Why no auto-fix

Branch protection lives on github.com, not in your repo’s files. Pipefort would need write access to your repo administration to change it; the current design keeps the GitHub App permissions read-only.