> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-1 — Default branch does not require status checks to pass

> No CI gate is enforced. Broken builds, failing tests, or unfinished security scans can land on main.

| Field    | Value                    |
| -------- | ------------------------ |
| Category | `CICD-SEC-1`             |
| Severity | MEDIUM                   |
| Auto-fix | ✗                        |
| Source   | Repository configuration |

## What the check does

Reads the branch protection rule and reports when `required_status_checks` is absent.

## Why it matters

Status checks are the integration point between branch protection and your CI/CD pipeline. Without them:

* Failing tests, lint errors, or security scans (including Pipefort itself in CI) can be merged.
* New status checks added later don't retroactively gate anything.
* The "green checkmark" on PRs becomes advisory, not blocking.

This is what makes branch protection actually enforce your CI investment.

## How to fix

Settings → Branches → edit the rule → enable **Require status checks to pass before merging**. Select the workflows that must pass — typically your test suite, lint, and any security scans (including Pipefort if you run it in CI).

Pair with **Require branches to be up to date before merging** to prevent stale branches from merging despite never running checks against the latest base.
