Control: 1.1.13 Ensure linear history is required
Description
Linear history is the name for Git history where all commits are listed in chronological order, one after another. Such history exists if a pull request is merged either by rebase merge (reorders the commits history) or squash merge (squashes all commits to one). Ensure that linear history is required by requiring the use of rebase or squash merge when merging a pull request.
Rationale
Enforcing linear history produces a clear record of activity, and as such it offers specific advantages: it is easier to follow, it is easier to revert a change, and bugs can be found more easily.
Note: Pull requests cannot be merged except by squash or rebase merge.
Audit
For each repository in use, ensure that linear history is required and/or that only squash merge and rebase merge are allowed.
Remediation
For each repository in use, require linear history and/or allow only rebase merge and squash merge.
Usage
Run the control in your terminal:
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_13Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_13 --shareSQL
This control uses a named query:
select -- Required Columns url as resource, case when ((default_branch_ref -> 'branch_protection_rule') is not null and (default_branch_ref -> 'branch_protection_rule' ->> 'requires_linear_history')::bool = true) or (rebase_merge_allowed = true or squash_merge_allowed = true) then 'ok' else 'alarm' end as status, name_with_owner || ' default branch ' || (default_branch_ref ->> 'name') || case when((default_branch_ref -> 'branch_protection_rule') is not null and (default_branch_ref -> 'branch_protection_rule' ->> 'requires_linear_history')::bool = true) or (rebase_merge_allowed = true or squash_merge_allowed = true) then ' has linear history enabled.' else ' has linear history disabled.' end as reason, -- Additional Dimensions name_with_ownerfrom github_my_repository;