Default Branch Should Require Branches To Be Up To Date Before Merge
policy name: requires_branches_up_to_date_before_merge
severity: MEDIUM
Description
Status checks are required, but branches that are not up to date can be merged. This can result in previously remediated issues being merged in over fixes.
Threat Example(s)
Required status checks may be failing on the latest version after passing on an earlier version of the code, making it easy to commit buggy or otherwise insecure code.
Remediation
- Note: The remediation steps applys to legacy branch protections, rules set based protection should be updated from the rules set page
- Make sure you have admin permissions
- Go to the repo’s settings page
- Enter “Branches” tab
- Under “Branch protection rules”
- Click “Edit” on the default branch rule
- Check “Require status checks to pass before merging”
- Check “Require branches to be up to date before merging”
- Click “Save changes”