Issue
OpenSSF Scorecard identified that branch protection is not maximal on development and release branches, scoring 5/10.
Risk Level
High - Inadequate branch protection can allow unauthorized or unreviewed code to reach production.
Current State
- Some branch protection rules are in place (5/10 score)
- Protection settings not maximal across all protected branches
- Gaps in enforcement could allow policy bypass
Recommendation
Strengthen branch protection on main and release branches:
Required Settings:
- ✅ Require pull request reviews before merging
- ✅ Require approvals (at least 1-2 reviewers)
- ✅ Dismiss stale pull request approvals when new commits are pushed
- ✅ Require review from Code Owners (if CODEOWNERS file exists)
- ✅ Require status checks to pass before merging
- ✅ Require branches to be up to date before merging
- ✅ Require conversation resolution before merging
Optional (Recommended):
- Consider requiring signed commits
- Restrict who can push to matching branches
- Require linear history
Steps to Implement
- Navigate to repository Settings → Branches → Branch protection rules
- Edit protection rules for
main branch
- Enable recommended settings listed above
- Apply same rules to any release branches
- Test with a test PR to ensure rules work as expected
References
Related
Part of OpenSSF Scorecard evaluation THEEDGE-4717 (overall score: 6.8/10)
Issue
OpenSSF Scorecard identified that branch protection is not maximal on development and release branches, scoring 5/10.
Risk Level
High - Inadequate branch protection can allow unauthorized or unreviewed code to reach production.
Current State
Recommendation
Strengthen branch protection on
mainand release branches:Required Settings:
Optional (Recommended):
Steps to Implement
mainbranchReferences
Related
Part of OpenSSF Scorecard evaluation THEEDGE-4717 (overall score: 6.8/10)