Powerpipe MCP Server →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-github-audit-log-detections
Overview
3Dashboards
17Benchmarks
24Queries
1Variables
GitHub

Detection: Branch Protection Policy Overridden

Overview

Detect when a branch protection policy was overridden in a GitHub repository. Overriding branch protection policies may allow unauthorized changes, force pushes, or unverified commits, which can compromise repository integrity and introduce security risks. Monitoring these events helps enforce code security standards and detect potential misuse of administrative privileges.

References:

Usage

Run the detection in your terminal:

powerpipe detection run github_audit_log_detections.detection.branch_protection_policy_overridden

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run github_audit_log_detections.detection.branch_protection_policy_overridden --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
concat('https://github.com/', repo, '/commit/', additional_fields ->> 'after') as resource,
actor,
tp_source_ip as source_ip,
tp_index as organization,
split_part(repo, '/', 2) as repository,
tp_id as source_id,
*
exclude (actor, timestamp)


from
  github_audit_log
where
  action = 'protected_branch.policy_override'
order by
  tp_timestamp desc;

Tags

category = Detections
folder = Branch
mitre_attack_ids = TA0001:T1195
plugin = github
service = GitHub/Branch