> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-1 — Default branch allows force pushes

> Branch protection exists but force-pushes are still permitted — history can be rewritten.

| Field    | Value                                      |
| -------- | ------------------------------------------ |
| Category | `CICD-SEC-1`                               |
| Severity | **HIGH**                                   |
| Auto-fix | ✓ (via `--fix-settings` or web Fix button) |
| Source   | Repository configuration                   |

## What the check does

Reads the default branch's protection rule and reports when `allow_force_pushes.enabled` is `true`.

## Why it matters

A force-push can:

* Rewrite history to remove evidence of a malicious commit.
* Drop reviewed commits and replace them with unreviewed ones (the original PR review remains on the commit object that's no longer reachable).
* Defeat any audit relying on commit ordering or signed-tag pointers.

Without disabling force-push, the protections you've added on top (required reviews, required status checks) can be quietly bypassed in a single command from anyone with `git push --force`.

## How to fix

Settings → Branches → edit the rule for the default branch → uncheck **Allow force pushes** (or set it to *Everyone* disabled).
