GitHub branch protection does not require signed commits.
Default Severity: high
Explanation
GitHub branch protection should be set to require signed commits.
You can do this by setting the require_signed_commits
attribute to 'true'.
Possible Impact
Commits may not be verified and signed as coming from a trusted developer
Suggested Resolution
Require signed commits
Insecure Example
The following example will fail the github-branch_protections-require_signed_commits check.
resource "github_branch_protection" "good_example" {
repository_id = "example"
pattern = "main"
require_signed_commits = false
}
Secure Example
The following example will pass the github-branch_protections-require_signed_commits check.
resource "github_branch_protection" "good_example" {
repository_id = "example"
pattern = "main"
require_signed_commits = true
}