| Field | Value |
|---|---|
| Category | CICD-SEC-1 |
| Severity | LOW |
| Auto-fix | ✓ (via --fix-settings or web Fix button) |
| Source | Repository configuration |
What the check does
Readsrequired_signatures.enabled on the default branch’s protection rule.
Why it matters
Without signed commits, there’s no cryptographic proof of who authored a commit. The git author/committer fields can be set to any string — including the name and email of someone who never made that commit. This intersects CICD-SEC-9 (Improper Artifact Integrity Validation). For supply-chain–sensitive repos (anything you publish, build images from, or deploy infrastructure with), signed commits give you a verifiable chain of custody from author to artifact.How to fix
- Make sure your contributors have signing set up locally (
git config commit.gpgsign trueplus a configured GPG or SSH signing key). - Settings → Branches → edit the rule → enable Require signed commits.