v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/github_compliance
Overview
2Dashboards
37Controls
33Queries
2Variables
GitHub

Control: 1.1.12 Ensure verification of signed commits for new changes before merging

Description

Ensure every commit in a pull request is signed and verified before merging.

Rationale

Signing commits, or requiring to sign commits, gives other users confidence about the origin of a specific code change. It ensures that the author of the change is not hidden and is verified by the version control system, thus the change comes from a trusted source.

Note: Pull requests with unsigned commits cannot be merged.

Audit

Ensure only signed commits can be merged for every branch, especially the main branch, via branch protection rules.

Remediation

For each repository in use, enforce the branch protection rule of requiring signed commits, and make sure only signed commits are capable of merging.

Usage

Run the control in your terminal:

powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_12

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_12 --share

SQL

This control uses a named query:

default_branch_requires_signed_commits

Tags

category = Compliance
cis = true
cis_section_id = 1.1
cis_supply_chain_v100 = true
cis_type = automated
cis_version = v1.0.0
plugin = github
service = GitHub