Ensure all checks have passed before merging new code

ID

status_checks

Severity

critical

Family

SCM

Tags

branch-protection, slsa-4, source-code, supply-chain

Description

Ensure that before a code change request can be merged to the code base, all predefined checks must successfully pass.

Security

On top of manual reviews of code changes, a code protect should contain a set of prescriptive checks which validate each change. Organizations should enforce those status checks so that changes can only be introduced if all checks have successfully passed. This set of checks should serve as the absolute quality, stability, and security conditions which must be met in order to merge new code to a project.

Code changes in which all checks do not pass successfully would not be able to be pushed into the code base of the specific code repository.

Mitigation / Fix

Configure each code repository to require all status checks to pass before permitting a merge of new code.

By default, no checks are defined per project, and thus no enforcement of checks is made.

GitHub

Alternative #1 - web interface: go to your GitHub repository, Settings > Branches, and add or edit the branch protection rules. For each rule, activate the "Require status checks to pass before merging" checkbox and select all the status checks you want to require, if any.

Alternative #2 - api: You may also use the GitHub api endpoint PUT /repos/{owner}/{repo}/branches/{branch}/protection, setting the required_status_checks entry and, possibly, the enforce_admins.

GitLab

By default, merge requests in projects can be merged even if external status checks fail. To block the merging of merge requests when external checks fail:

Alternative #1 - web interface: go to your GitLab project, Settings > Merge Requests, scroll to "Merge Checks" and activate the "Pipelines must succeed" and optionally the "All threads must be resolved". Click on "Save changes".

Alternative #2 - api: You may use the PUT /projects/:id api endpoint, setting the only_allow_merge_if_all_status_checks_passed property, and possibly the only_allow_merge_if_pipeline_succeeds and only_allow_merge_if_all_discussions_are_resolved.