> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-1 — Default branch does not require signed commits

> Commits on the default branch are not required to be GPG/SSH-signed.

| Field    | Value                                      |
| -------- | ------------------------------------------ |
| Category | `CICD-SEC-1`                               |
| Severity | LOW                                        |
| Auto-fix | ✓ (via `--fix-settings` or web Fix button) |
| Source   | Repository configuration                   |

## What the check does

Reads `required_signatures.enabled` on the default branch's protection rule.

## Why it matters

Without signed commits, there's no cryptographic proof of who authored a commit. The git author/committer fields can be set to any string — including the name and email of someone who never made that commit.

This intersects [CICD-SEC-9 (Improper Artifact Integrity Validation)](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-09-Improper-Artifact-Integrity-Validation). For supply-chain–sensitive repos (anything you publish, build images from, or deploy infrastructure with), signed commits give you a verifiable chain of custody from author to artifact.

## How to fix

1. Make sure your contributors have signing set up locally (`git config commit.gpgsign true` plus a configured GPG or SSH signing key).
2. Settings → Branches → edit the rule → enable **Require signed commits**.

Note that this rule blocks merges of unsigned commits — coordinate with your team before enabling, especially on long-lived branches with in-flight work.
