Control: 1.1.12 Ensure verification of signed commits for new changes before merging
Description
Ensure every commit in a pull request is signed and verified before merging.
Rationale
Signing commits, or requiring to sign commits, gives other users confidence about the origin of a specific code change. It ensures that the author of the change is not hidden and is verified by the version control system, thus the change comes from a trusted source.
Note: Pull requests with unsigned commits cannot be merged.
Audit
Ensure only signed commits can be merged for every branch, especially the main branch, via branch protection rules.
Remediation
For each repository in use, enforce the branch protection rule of requiring signed commits, and make sure only signed commits are capable of merging.
Usage
Run the control in your terminal:
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_12Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_12 --shareSQL
This control uses a named query:
select -- Required Columns url as resource, case when (default_branch_ref -> 'branch_protection_rule') is null then 'info' when (default_branch_ref -> 'branch_protection_rule' ->> 'requires_commit_signatures')::bool = true then 'ok' else 'alarm' end as status, name_with_owner || ' default branch ' || (default_branch_ref ->> 'name') || case when (default_branch_ref -> 'branch_protection_rule') is null then ' branch protection rule unknown.' when (default_branch_ref -> 'branch_protection_rule' ->> 'requires_commit_signatures')::bool = true then ' requires signed commits before merge.' else ' does not require signed commits before merge.' end as reason, -- Additional Dimensions name_with_ownerfrom github_my_repository;