Benchmark: 1.1 Code Changes
Overview
This section consists of security recommendations for code changes and how they should be done. It contains recommendations to protect the main branch of the application code. This branch is the most important one, because it contains the actual code that is being delivered to the customer. It should be protected from any mistake or malicious deed in order to keep the software secured.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-github-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 1.1 Code Changes.
Run this benchmark in your terminal:
powerpipe benchmark run github_compliance.benchmark.cis_supply_chain_v100_1_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run github_compliance.benchmark.cis_supply_chain_v100_1_1 --share
Controls
- 1.1.3 Ensure any change to code receives approval of two strongly authenticated users
- 1.1.4 Ensure previous approvals are dismissed when updates are introduced to a code change proposal
- 1.1.5 Ensure there are restrictions on who can dismiss code change reviews
- 1.1.6 Ensure code owners are set for extra sensitive code or configuration
- 1.1.9 Ensure all checks have passed before merging new code
- 1.1.10 Ensure open Git branches are up to date before they can be merged into code base
- 1.1.11 Ensure all open comments are resolved before allowing code change merging
- 1.1.12 Ensure verification of signed commits for new changes before merging
- 1.1.13 Ensure linear history is required
- 1.1.14 Ensure branch protection rules are enforced for administrators
- 1.1.15 Ensure pushing or merging of new code is restricted to specific individuals or teams
- 1.1.16 Ensure force push code to branches is denied
- 1.1.17 Ensure branch deletions are denied