v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/github_compliance
Overview
2Dashboards
37Controls
33Queries
2Variables
GitHub

Control: 1.1.16 Ensure force push code to branches is denied

Description

The "force push" option allows users with "push" permissions to force their changes directly to the branch without a pull request, and thus should be disabled.

Rationale

The "force push" option allows users to override the existing code with their own code. This can lead to both intentional and unintentional data loss, as well as data infection with malicious code. Disabling the “force push” option prohibits users from forcing their changes to the main branch, which ultimately prevents malicious code from entering source code.

Note: Users cannot "force push" to protected branches.

Audit

For each repository in use, validate that no one can "force push" code.

Remediation

For each repository in use, block the option to "force push" code.

Usage

Run the control in your terminal:

powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_16

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_16 --share

SQL

This control uses a named query:

default_branch_blocks_force_push

Tags

category = Compliance
cis = true
cis_section_id = 1.1
cis_supply_chain_v100 = true
cis_type = automated
cis_version = v1.0.0
plugin = github
service = GitHub