v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/github_compliance
Overview
2Dashboards
37Controls
33Queries
2Variables
GitHub

Control: 1.1.14 Ensure branch protection rules are enforced for administrators

Description

Ensure administrators are subject to branch protection rules.

Rationale

Administrators by default are excluded from any branch protection rules. This means these privileged users (on both the repository and organization levels) are not subject to protections meant to prevent untrusted code insertion, including malicious code. This is extremely important since administrator accounts are often targeted for account hijacking due to their privileged role.

Note: Administrator users will not be able to push code directly to the protected branch without being compliant with listed branch protection rules.

Audit

For each repository in use, validate branch protection rules also apply to administrator accounts.

Remediation

For each repository in use, enforce branch protection rules on administrators, as well.

Usage

Run the control in your terminal:

powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_14

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_14 --share

SQL

This control uses a named query:

default_branch_protections_apply_to_admins

Tags

category = Compliance
cis = true
cis_section_id = 1.1
cis_supply_chain_v100 = true
cis_type = automated
cis_version = v1.0.0
plugin = github
service = GitHub