Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Software Supply Chain > CIS 1.0 > Source Code >

Code Changes

N/A
Source
Chain Bench
ID
1.1
Version
cis-1.0

1.1 Code Changes

1.1.10 Ensure open git branches are up to date before they can be merged into codebase

For each code repository in use, enforce a policy to only allow merging open branches if they are current with the latest change from their origin repository.

1.1.11 Ensure all open comments are resolved before allowing to merge code changes

For each code repository in use, require open comments to be resolved before the relevant code change can be merged.

1.1.12 Ensure verifying signed commits of new changes before merging

For each repository in use, enforce the branch protection rule of requiring signed commits, and make sure only signed commits are capable of merging.

1.1.13 Ensure linear history is required

For each repository in use, require linear history and/or allow only rebase merge and squash merge.

1.1.14 Ensure branch protection rules are enforced on administrators

For each repository in use, enforce branch protection rules on administrators, as well.

1.1.15 Ensure pushing of new code is restricted to specific individuals or teams

For each repository in use, allow only trusted and responsible users to push or merge new code.

1.1.16 Ensure force pushes code to branches is denied

For each repository in use, block the option to “Force Push” code.

1.1.17 Ensure branch deletions are denied

For each repository that is being used, block the option to delete protected branches via branch protection rules.

1.1.3 Ensure any change to code receives approval of two strongly authenticated users

An organization can protect specific code branches — for example, the “main” branch which often is the version deployed to production — by setting protection rules. These rules secure your code repository from unwanted or unauthorized changes. You may set requirements for any code change to that branch, and thus specify a minimum number of reviewers required to approve a change.

1.1.4 Ensure previous approvals are dismissed when updates are introduced to a code change proposal

For each code repository in use, enforce an organization-wide policy to dismiss given approvals to code change suggestions if those suggestions were updated.

1.1.5 Ensure that there are restrictions on who can dismiss code change reviews

For each code repository in use, carefully select the individual collaborators or groups whom you trust with the ability to dismiss code change reviews.

1.1.6 Ensure code owners are set for extra sensitive code or configuration

For every code repository in use, identify particularly sensitive parts of code and configurations and set trusted users to be their code owners.

1.1.8 Ensure inactive branches are reviewed and removed periodically

For each code repository in use, review existing Git branches and remove those which have not been active for a prescribed period of time.

1.1.9 Ensure all checks have passed before the merge of new code

Configure each code repository to require all status checks to pass before permitting a merge of new code.

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use