require-signed-commits
Explanation
You can do this setting the require_signed_commits
attribute to 'true'.
Possible Impact
You cannot guarantee the source of unsigned commits.
Suggested Resolution
Require signed commits for all protected branches.
Insecure Example
The following example will fail the github-repositories-require-signed-commits check.
resource "github_branch_protection" "bad_example" {
repository_id = github_repository.example.node_id
pattern = "main"
enforce_admins = true
allows_deletions = true
require_signed_commits = false
}
Secure Example
The following example will pass the github-repositories-require-signed-commits check.
resource "github_branch_protection" "good_example" {
repository_id = github_repository.example.node_id
pattern = "main"
enforce_admins = true
allows_deletions = true
require_signed_commits = true
}