| Field | Value |
|---|---|
| Category | CICD-SEC-1 |
| Severity | HIGH |
| Auto-fix | ✓ (via --fix-settings or web Fix button) |
| Source | Repository configuration |
What the check does
CallsGET /repos/{owner}/{repo}/branches/{default_branch}/protection. If GitHub returns 404, the default branch has no branch protection rule. This is read-only auditing — Pipefort never modifies your settings.
Private repos on a free plan
GitHub only offers protected branches on private repositories under a paid plan (GitHub Pro, Team, or Enterprise). For a private repo on a free plan it returns403 "Upgrade to GitHub Pro or make this repository public to enable this feature." rather than 404. Pipefort recognizes this case and reports it as a single INFO finding — “Branch protection unavailable on this repository’s plan” — instead of the HIGH finding above, since you can’t enable the rule without upgrading or making the repo public. The rest of the repository-configuration audit (Actions, Dependabot, secret scanning) still runs.
Why it matters
Branch protection is the foundation of every other CI/CD control. Without it:- Direct pushes bypass code review entirely.
- A compromised developer (or stolen token) can push malicious commits straight to
main. - Force-push and deletion are both possible, erasing audit trails.
- Required status checks (the gate your security scans live behind) have nothing to attach to.
How to fix
In your repository on GitHub, go to Settings → Branches → Branch protection rules → Add rule. Target the default branch and at minimum enable:- Require a pull request before merging (with ≥ 1 required approval, ideally 2)
- Require status checks to pass before merging (select your CI workflows)
- Do not allow bypassing the above settings (so the rule applies to admins too)