Branch protection

ID

openssf_scorecard/branch_protection

Severity

critical

Category

Levels

Optional

false

Tags

branch-protection, cicd-sec-01, cicd-security, code-reviews, security, source-code, supply-chain

Description

Does the project use branch protection?

This check determines whether a project’s default and release branches are protected with source code repository’s branch protection settings.

Reference: Scorecard Checks page.

Rationale

Branch protection allows maintainers to define rules that enforce certain workflows for branches, such as requiring review or passing certain status checks before acceptance into a main branch, or preventing rewriting of public history.

Different types of branch protection protect against different risks:

  • Require code review: requires at least one reviewer, which greatly reduces the risk that a compromised contributor can inject malicious code. Review also increases the likelihood that an unintentional vulnerability in a contribution will be detected and fixed before the change is accepted.

  • Prevent force push: prevents use of the --force option on public branches, which overwrites code irrevocably. This protection prevents the rewriting of public history without external notice.

  • Require status checks: ensures that all required CI tests are met before a change is accepted.

Version control systems like Git use branches for change isolation. Changes may be merged into a target branch. But important branches, like main or deployment branches should be protected against uncontrolled modifications. Otherwise, users with write access may delete significant branches or delete the commit history, typically by forced push of changes. Code pushed may be untested, may contain malicious code, or include secrets and other sensitive information that should not be committed to the repository.

Most Git-based hosting services, like GitHub, GitLab or BitBucket, allow to add protection rules for avoiding certain operations on important branches.

To avoid security issues, branch protection rules could be added. These rules provide the following benefits:

  • Avoid unnecessary code commits to the branch

  • Enforce code reviews before merging the code to the branch

  • Maintain a healthy codebase without affecting collaboration

  • Keep commit history (by disallowing force pushes)

  • Makes harder for hardcoded secrets from leaking into (public) repositories

Verification

The configuration specifies the minimal protection rules that must be enabled on the configured branches to pass this checkpoint:

  • Prevent force push

  • Prevent branch deletion

  • Status checks defined

  • Have one (or more) reviewers

  • Dismiss stale reviews

Remediation

Follow the instructions to add protected branches rules in GitHub, GitLab or BitBucket.

Please note that in certain special cases the rules may need to be suspended. For example, if a past commit includes illegal or critical content, it may be necessary to use a force push to rewrite the history rather than simply hide the commit.

Small Print

For fetching certain protection rules for branches, this checkpoint may need administrative access to the target repository. If the access token provided does not have administrator role, and the associated protecting rule is required for the checkpoint, the checkpoint will not be given a "pass" state, as the status of protection rule cannot be determined.