> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-1 — Admins can bypass branch protection

> Branch protection is not enforced for administrators. Any admin (or compromised admin token) can push directly.

| Field    | Value                                      |
| -------- | ------------------------------------------ |
| Category | `CICD-SEC-1`                               |
| Severity | **HIGH**                                   |
| Auto-fix | ✓ (via `--fix-settings` or web Fix button) |
| Source   | Repository configuration                   |

## What the check does

Reads the branch protection rule and reports when `enforce_admins.enabled` is `false`.

## Why it matters

Admin bypass turns every protection on the branch into "soft" enforcement:

* A compromised admin PAT lets the attacker push directly to main.
* Even well-intentioned admins routinely click "merge anyway" past failing checks — which then erodes the entire culture of CI as a gate.
* This is the single biggest gap between a paper policy ("we require reviews") and an enforced one.

GitHub's own guidance is that branch protection should apply to everyone.

## How to fix

Settings → Branches → edit the rule → enable **Do not allow bypassing the above settings**. (This is the modern UI label for `enforce_admins`.) Make sure no one is in the bypass list either.
