E.1.5 Branch protection

Control Details

Objective

Provide a formal approval process for code changes to enforce adherence to software development processes and policies before code is introduced into a CI/CD system.

Definition

Branch protection settings to enforce security policies, such as requiring reviews, passing checks, preventing overwriting of history, and signed commits before code is accepted into the main branch. Branch protection can prevent forced pushings, overwriting history, and obfuscation of code changes. In high-risk, high-assurance environments, attribution of code changes, commit signing, and full attestation can be used with branch protection to prevent and detect complex attacks.

Assessment Questions

1. Describe your use of branch protection settings to enforce security policies, such as requiring reviews, passing checks, preventing overwriting of history, and signed commits before code is accepted into the main branch?
2. In high assurance, high risk environments, is commit signing with full-attestation required?

Reference sources

1. OSSF-Scorecard branch-protection
2. OWASP-SCVS 4.17
3. SLSA Source L2: Controls
4. CNCF-SSC SC-V Declare protected repository namespaces SC-V Require verification attestations / confirmation SC-CE Establish and adhere to contribution policies