Control: 1.1.16 Ensure force push code to branches is denied
Description
The "force push" option allows users with "push" permissions to force their changes directly to the branch without a pull request, and thus should be disabled.
Rationale
The "force push" option allows users to override the existing code with their own code. This can lead to both intentional and unintentional data loss, as well as data infection with malicious code. Disabling the “force push” option prohibits users from forcing their changes to the main branch, which ultimately prevents malicious code from entering source code.
Note: Users cannot "force push" to protected branches.
Audit
For each repository in use, validate that no one can "force push" code.
Remediation
For each repository in use, block the option to "force push" code.
Usage
Run the control in your terminal:
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_16Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_16 --shareSQL
This control uses a named query:
select -- Required Columns url as resource, case when (default_branch_ref -> 'branch_protection_rule') is null then 'info' when (default_branch_ref -> 'branch_protection_rule' ->> 'allows_force_pushes') = 'false' then 'ok' else 'alarm' end as status, name_with_owner || ' default branch ' || (default_branch_ref ->> 'name') || case when (default_branch_ref -> 'branch_protection_rule' ->> 'allows_force_pushes') = 'false' then ' prevents force push.' when (default_branch_ref -> 'branch_protection_rule' ->> 'allows_force_pushes') = 'true' then ' allows force push.' -- If not false or true, then null, which means no branch protection rule exists else ' branch protection rule unknown.' end as reason, -- Additional Dimensions name_with_ownerfrom github_my_repository;