| Field | Value |
|---|---|
| Category | CICD-SEC-1 |
| Severity | HIGH |
| Auto-fix | ✓ (via --fix-settings or web Fix button) |
| Source | Repository configuration |
What the check does
Reads the default branch’s protection rule and reports whenallow_force_pushes.enabled is true.
Why it matters
A force-push can:- Rewrite history to remove evidence of a malicious commit.
- Drop reviewed commits and replace them with unreviewed ones (the original PR review remains on the commit object that’s no longer reachable).
- Defeat any audit relying on commit ordering or signed-tag pointers.
git push --force.