Control: 1.1.9 Ensure all checks have passed before merging new code
Before a code change request can be merged to the code base, all predefined checks must successfully pass.
On top of manual reviews of code changes, a code protect should contain a set of prescriptive checks that validate each change. Organizations should enforce those status checks so that changes can only be introduced if all checks have successfully passed. This set of checks should serve as the absolute quality, stability, and security conditions that must be met in order to merge new code to a project.
Note: Code changes in which all checks do not pass successfully would not be able to be pushed into the code base of the specific code repository.
Ensure that for each code repository in use, status checks are required to pass before allowing any code change proposal merge.
Configure each code repository to require all status checks to pass before permitting a merge of new code.
Run the control in your terminal:
powerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_9
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run github_compliance.control.cis_supply_chain_v100_1_1_9 --share
This control uses a named query:
select -- Required Columns url as resource, case when (default_branch_ref -> 'branch_protection_rule') is null then 'info' when (default_branch_ref -> 'branch_protection_rule' ->> 'requires_status_checks')::bool = true then 'ok' else 'alarm' end as status, name_with_owner || ' default branch ' || (default_branch_ref ->> 'name') || case when (default_branch_ref -> 'branch_protection_rule') is not null then ' branch protection status unknown.' when (default_branch_ref -> 'branch_protection_rule' ->> 'requires_status_checks')::bool = true then ' requires status checks.' else ' does not require status checks.' end as reason, -- Additional Dimensions name_with_ownerfrom github_my_repository;