> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-1 — CODEOWNERS exists but their review is not required

> A CODEOWNERS file is defined but branch protection treats it as advisory only.

| Field    | Value                                      |
| -------- | ------------------------------------------ |
| Category | `CICD-SEC-1`                               |
| Severity | LOW                                        |
| Auto-fix | ✓ (via `--fix-settings` or web Fix button) |
| Source   | Repository configuration                   |

## What the check does

1. Detects a `CODEOWNERS` file (in `CODEOWNERS`, `.github/CODEOWNERS`, or `docs/CODEOWNERS` — GitHub's canonical locations).
2. Reads the branch protection rule on the default branch.
3. Reports when `required_pull_request_reviews.require_code_owner_reviews` is `false`.

Only fires when CODEOWNERS exists — if you haven't defined ownership, the rule is moot and stays silent.

## Why it matters

A CODEOWNERS file is a declaration of who has authority on which paths. Without enforcement:

* Changes to sensitive paths (`/.github/workflows/`, `/infra/`, `/security/`) can merge without the people responsible for them ever seeing the PR.
* The file becomes pure documentation — easy to drift out of sync with reality, hard to rely on for incident response.
* Compliance reviewers cannot point at "code owners must approve" as a control if the rule doesn't actually require their approval.

## How to fix

Settings → Branches → edit the rule → under **Require a pull request before merging**, enable **Require review from Code Owners**.

Then sanity-check the CODEOWNERS file itself: make sure the listed teams exist, paths are accurate, and at least one owner is reachable for any merge to happen.
