Control: 1.1.14 Ensure branch protection rules are enforced for administrators
Description
Ensure administrators are subject to branch protection rules.
Rationale
Administrators by default are excluded from any branch protection rules. This means these privileged users (on both the repository and organization levels) are not subject to protections meant to prevent untrusted code insertion, including malicious code. This is extremely important since administrator accounts are often targeted for account hijacking due to their privileged role.
Note: Administrator users will not be able to push code directly to the protected branch without being compliant with listed branch protection rules.
Audit
For each repository in use, validate branch protection rules also apply to administrator accounts.
Remediation
For each repository in use, enforce branch protection rules on administrators, as well.
Usage
Run the control in your terminal:
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_14Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_14 --shareSQL
This control uses a named query:
select -- Required Columns url as resource, case when (default_branch_ref -> 'branch_protection_rule') is null then 'info' when (default_branch_ref -> 'branch_protection_rule' ->> 'is_admin_enforced') = 'true' then 'ok' else 'alarm' end as status, name_with_owner || ' default branch ' || (default_branch_ref ->> 'name') || case when (default_branch_ref -> 'branch_protection_rule' ->> 'is_admin_enforced') = 'true' then ' protections apply to admins.' when (default_branch_ref -> 'branch_protection_rule' ->> 'is_admin_enforced') = 'false' then ' protections do not apply to admins.' -- If not false or true, then null, which means no branch protection rule exists else ' branch protection rule unknown.' end as reason, -- Additional Dimensions name_with_ownerfrom github_my_repository;