1.1.14 Ensure branch protection rules are enforced for administrators

ID

cis_sscs/branch_rules_enforced_admins

Severity

high

Category

source_code/code_changes

Levels

Optional

false

Tags

branch-protection, least-privilege, security, supply-chain

Description

Ensure administrators are subject to branch protection rules.

Rationale

Administrators by default are excluded from any branch protection rules. This means these privileged users (both on the repository and organization levels) are not subject to protections meant to prevent untrusted code insertion, including malicious code. This is extremely important since administrator accounts are often targeted for account hijacking due to their privileged role.

Verification

For each repository in use, validate branch protection rules also apply to administrator accounts.

Remediation

For each repository in use, enforce branch protection rules on administrators, as well.