v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/github_compliance
Overview
2Dashboards
37Controls
33Queries
2Variables
GitHub

Control: 1.1.17 Ensure branch deletions are denied

Description

Ensure that users with only push access are incapable of deleting a protected branch.

Rationale

When enabling deletion of a protected branch, any user with at least push access to the repository can delete a branch. This can be potentially dangerous, as a simple human mistake or a hacked account can lead to data loss if a branch is deleted. It is therefore crucial to prevent such incidents by denying protected branch deletion.

Note: Protected branches cannot be deleted.

Audit

For each repository that is being used, verify that protected branches cannot be deleted.

Remediation

For each repository that is being used, block the option to delete protected branches via branch protection rules.

Usage

Run the control in your terminal:

powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_17

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_17 --share

SQL

This control uses a named query:

default_branch_setting_block_deletion

Tags

category = Compliance
cis = true
cis_section_id = 1.1
cis_supply_chain_v100 = true
cis_type = automated
cis_version = v1.0.0
plugin = github
service = GitHub