1.1.16 Ensure force push code to branches is denied

ID

cis_sscs/force_push_denied

Severity

critical

Category

source_code/code_changes

Levels

Optional

false

Tags

branch-protection, security, supply-chain

Description

The "Force Push" option allows users with "Push" permissions to force their changes directly to the branch without a pull request, and thus should be disabled.

Rationale

The "Force Push" option allows users to override the existing code with their own code. This can lead to both intentional and unintentional data loss, as well as data infection with malicious code. Disabling the "Force Push" option prohibits users from forcing their changes to the master branch, which ultimately prevents malicious code from entering source code.

Verification

For each repository in use, validate that no one can force push code.

Remediation

For each repository in use, block the option to "Force Push" code.