> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-1 — Default branch does not require pull request reviews

> Branch protection is on, but reviews aren't required. Direct pushes still merge without approval.

| Field    | Value                    |
| -------- | ------------------------ |
| Category | `CICD-SEC-1`             |
| Severity | **HIGH**                 |
| Auto-fix | ✗                        |
| Source   | Repository configuration |

## What the check does

Reads the default branch's protection rule. Fires when `required_pull_request_reviews` is absent.

## Why it matters

Required PR reviews are the most-cited control in CICD-SEC-1. Without them, branch protection still permits a single committer to push directly to the default branch — losing the "second pair of eyes" defense entirely. Static scanners can catch only what they're trained on; mandatory human review remains the most general-purpose mitigation against malicious or accidentally insecure code reaching production.

## How to fix

Settings → Branches → edit the rule → enable **Require a pull request before merging**. Set **Required approving reviews** to at least 1 (2 is recommended for production branches; see [BP-FEW-REVIEWERS](/rules/cicd-sec-1-bp-few-reviewers)).
