Skip to content

GitHub branch protection does not require signed commits.

Default Severity: high

Explanation

GitHub branch protection should be set to require signed commits.

You can do this by setting the require_signed_commits attribute to 'true'.

Possible Impact

Commits may not be verified and signed as coming from a trusted developer

Suggested Resolution

Require signed commits

Insecure Example

The following example will fail the github-branch_protections-require_signed_commits check.

 resource "github_branch_protection" "good_example" {
   repository_id = "example"
   pattern       = "main"

   require_signed_commits = false
 }

Secure Example

The following example will pass the github-branch_protections-require_signed_commits check.

 resource "github_branch_protection" "good_example" {
   repository_id = "example"
   pattern       = "main"

   require_signed_commits = true
 }