> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-1 — Default branch has no branch protection rule

> The default branch is unprotected. Anyone with write access can push directly, force-push history, or delete it.

| Field    | Value                                      |
| -------- | ------------------------------------------ |
| Category | `CICD-SEC-1`                               |
| Severity | **HIGH**                                   |
| Auto-fix | ✓ (via `--fix-settings` or web Fix button) |
| Source   | Repository configuration                   |

## What the check does

Calls `GET /repos/{owner}/{repo}/branches/{default_branch}/protection`. If GitHub returns 404, the default branch has no branch protection rule. This is read-only auditing — Pipefort never modifies your settings.

### Private repos on a free plan

GitHub only offers protected branches on private repositories under a paid plan (GitHub Pro, Team, or Enterprise). For a private repo on a free plan it returns `403 "Upgrade to GitHub Pro or make this repository public to enable this feature."` rather than 404. Pipefort recognizes this case and reports it as a single **INFO** finding — *"Branch protection unavailable on this repository's plan"* — instead of the HIGH finding above, since you can't enable the rule without upgrading or making the repo public. The rest of the repository-configuration audit (Actions, Dependabot, secret scanning) still runs.

## Why it matters

Branch protection is the foundation of every other CI/CD control. Without it:

* Direct pushes bypass code review entirely.
* A compromised developer (or stolen token) can push malicious commits straight to `main`.
* Force-push and deletion are both possible, erasing audit trails.
* Required status checks (the gate your security scans live behind) have nothing to attach to.

This maps to OWASP [CICD-SEC-1 Insufficient Flow Control Mechanisms](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-01-Insufficient-Flow-Control-Mechanisms).

## How to fix

In your repository on GitHub, go to **Settings → Branches → Branch protection rules → Add rule**. Target the default branch and at minimum enable:

* *Require a pull request before merging* (with ≥ 1 required approval, ideally 2)
* *Require status checks to pass before merging* (select your CI workflows)
* *Do not allow bypassing the above settings* (so the rule applies to admins too)

## Why no auto-fix

Branch protection lives on github.com, not in your repo's files. Pipefort would need write access to your repo administration to change it; the current design keeps the GitHub App permissions read-only.
