Skip to main content
FieldValue
CategoryCICD-SEC-1
SeverityHIGH
Auto-fix✓ (via --fix-settings or web Fix button)
SourceRepository configuration

What the check does

Calls GET /repos/{owner}/{repo}/branches/{default_branch}/protection. If GitHub returns 404, the default branch has no branch protection rule. This is read-only auditing — Pipefort never modifies your settings.

Private repos on a free plan

GitHub only offers protected branches on private repositories under a paid plan (GitHub Pro, Team, or Enterprise). For a private repo on a free plan it returns 403 "Upgrade to GitHub Pro or make this repository public to enable this feature." rather than 404. Pipefort recognizes this case and reports it as a single INFO finding — “Branch protection unavailable on this repository’s plan” — instead of the HIGH finding above, since you can’t enable the rule without upgrading or making the repo public. The rest of the repository-configuration audit (Actions, Dependabot, secret scanning) still runs.

Why it matters

Branch protection is the foundation of every other CI/CD control. Without it:
  • Direct pushes bypass code review entirely.
  • A compromised developer (or stolen token) can push malicious commits straight to main.
  • Force-push and deletion are both possible, erasing audit trails.
  • Required status checks (the gate your security scans live behind) have nothing to attach to.
This maps to OWASP CICD-SEC-1 Insufficient Flow Control Mechanisms.

How to fix

In your repository on GitHub, go to Settings → Branches → Branch protection rules → Add rule. Target the default branch and at minimum enable:
  • Require a pull request before merging (with ≥ 1 required approval, ideally 2)
  • Require status checks to pass before merging (select your CI workflows)
  • Do not allow bypassing the above settings (so the rule applies to admins too)

Why no auto-fix

Branch protection lives on github.com, not in your repo’s files. Pipefort would need write access to your repo administration to change it; the current design keeps the GitHub App permissions read-only.