CICD-SEC-1 — Default branch does not require signed commits

Field	Value
Category	`CICD-SEC-1`
Severity	LOW
Auto-fix	✗
Source	Repository configuration

What the check does

Reads required_signatures.enabled on the default branch’s protection rule.

Why it matters

Without signed commits, there’s no cryptographic proof of who authored a commit. The git author/committer fields can be set to any string — including the name and email of someone who never made that commit. This intersects CICD-SEC-9 (Improper Artifact Integrity Validation). For supply-chain–sensitive repos (anything you publish, build images from, or deploy infrastructure with), signed commits give you a verifiable chain of custody from author to artifact.

How to fix

Make sure your contributors have signing set up locally (git config commit.gpgsign true plus a configured GPG or SSH signing key).
Settings → Branches → edit the rule → enable Require signed commits.

Note that this rule blocks merges of unsigned commits — coordinate with your team before enabling, especially on long-lived branches with in-flight work.

CICD-SEC-1 — CODEOWNERS exists but their review is not required CICD-SEC-4 — Default GITHUB_TOKEN permissions are read-write

⌘I

Documentation Index

​What the check does

​Why it matters

​How to fix

What the check does

Why it matters

How to fix