Commit bypassed branch protection
ID |
commit_bypassing_branch_protection |
Severity |
critical |
Resource |
Branch |
Description
Detects whether a commit was pushed on a branch after disabling or downgrading a branch protection rule.
When there is an active branch protection rule, and a developer wants to quickly commit the change without waiting for a review or other security checks, it is possible to disable the protection, perform the commit push to the branch, and then reinstate the branch protection rule. This is a clear anomaly that, when done, should be investigated.
Bad actors hijacking legit developer identities often do this to inject malicious code. Even when the change has no malicious intent, it breaks the organization’s recommended change process.
Impact
A commit that bypasses branch protection can have a wide range of negative impact on an organization. Here are some examples:
-
Security Breach: The commit may introduce security vulnerabilities into an organization’s codebase. Malicious actors may exploit these vulnerabilities to gain unauthorized access to the organization’s systems, steal sensitive data, or cause other types of harm.
-
Compliance Issues: The commit may violate regulatory or compliance requirements, so it may expose the organization to legal liabilities, fines, or other penalties.
-
Operational Disruptions: The commit may cause unexpected errors, crashes, or downtime in the organization’s systems, disrupting business operations and causing financial losses.
-
Reputational Damage: If the commit results in a high-profile security breach or operational disruption, it may damage the organization’s reputation and erode customer trust.
-
Delayed Detection of Issues: Because the commit was not subject to the usual review and testing processes, issues such as bugs or performance problems may go unnoticed until they cause significant problems in production.
