CICD-SEC-1 — Default branch does not dismiss stale reviews on new commits - Pipefort

Field	Value
Category	`CICD-SEC-1`
Severity	MEDIUM
Auto-fix	✗
Source	Repository configuration

What the check does

Reads the branch protection rule and reports when required_pull_request_reviews.dismiss_stale_reviews is false.

Why it matters

Without stale-review dismissal:

Author opens a clean PR.
Reviewer approves it.
Author force-pushes additional malicious commits.
PR is now merge-eligible — the approval still counts, even though the reviewed commit is no longer the HEAD.

This is the most common branch-protection bypass in the wild — defeats reviews without needing to compromise any account.

How to fix

Settings → Branches → edit the rule → under Require a pull request before merging, enable Dismiss stale pull request approvals when new commits are pushed.

CICD-SEC-1 — Default branch requires fewer than 2 approving reviews CICD-SEC-1 — Default branch does not require status checks to pass

⌘I