Control: 1.1.17 Ensure branch deletions are denied
Description
Ensure that users with only push access are incapable of deleting a protected branch.
Rationale
When enabling deletion of a protected branch, any user with at least push access to the repository can delete a branch. This can be potentially dangerous, as a simple human mistake or a hacked account can lead to data loss if a branch is deleted. It is therefore crucial to prevent such incidents by denying protected branch deletion.
Note: Protected branches cannot be deleted.
Audit
For each repository that is being used, verify that protected branches cannot be deleted.
Remediation
For each repository that is being used, block the option to delete protected branches via branch protection rules.
Usage
Run the control in your terminal:
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_17Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_17 --shareSQL
This control uses a named query:
select -- Required Columns url as resource, case when (default_branch_ref -> 'branch_protection_rule') is null then 'info' when (default_branch_ref -> 'branch_protection_rule' ->> 'allows_deletions') = 'false' then 'ok' else 'alarm' end as status, name_with_owner || ' default branch ' || (default_branch_ref ->> 'name') || case when (default_branch_ref -> 'branch_protection_rule' ->> 'allows_deletions') = 'false' then ' prevents deletions.' when (default_branch_ref -> 'branch_protection_rule' ->> 'allows_deletions') = 'true' then ' allows deletions.' -- If not false or true, then null, which means no branch protection rule exists else ' branch protection rule unknown.' end as reason, -- Additional Dimensions name_with_ownerfrom github_my_repository;