1.1.5 Ensure there are restrictions on who can dismiss code change reviews

Ensure there are restrictions on who can dismiss code change reviews. Only trusted users should be allowed to dismiss code change reviews.

Dismissing a code change review permits users to merge new suggested code changes without going through the standard process of approvals. Controlling who can perform this action will prevent malicious actors from simply dismissing the required reviews to code changes and merging malicious or dysfunctional code into the code base.

In cases where a code change proposal has been updated since it was last reviewed and the person who reviewed it isn’t available for approval, a general collaborator would not be able to merge their code changes until a user with "dismiss review" abilities could dismiss the open review.

Users who are not allowed to dismiss code change reviews will not be permitted to do so, and thus are unable to waive the standard flow of approvals.

For each code repository in use, ensure that only trusted users are allowed to dismiss code change reviews.

For each code repository in use, do not grant the permission to dismiss code changes reviews unless it is really necessary. If it is obligatory, carefully select the individual collaborators or groups whom you trust with the ability to dismiss code change reviews.

By default, all users who have write access to the code repository are able to dismiss code change reviews.

For Azure Devops repositories, enable Require a minimum number of reviewers policy and ensure Allow requestors to approve their own changes is disabled, Prohibit the most recent pusher from approving their own changes is enabled, and Allow completion even if some reviewers vote to wait or reject is disabled.