Default Branch Should Require All Commits To Be Signed
policy name: no_signed_commits
severity: LOW
Description
Require all commits to be signed and verified
Threat Example(s)
A commit containing malicious code may be crafted by a malicious actor that has acquired write access to the repository to initiate a supply chain attack. Commit signing provides another layer of defense that can prevent this type of compromise.
Remediation
- Make sure you have admin permissions
- Go to the repo’s settings page
- Enter “Branches” tab
- Under “Branch protection rules”
- Click “Edit” on the default branch rule
- Check “Require signed commits”
- Click “Save changes”