complytime/repo-branch-protection Control Catalog

complytime/repo-branch-protection

Branch protection controls for GitHub/GitLab repositories

Published by ComplyTime

Install

OCI v1.1

$grcli unpack --repository complytime/repo-branch-protection --tag dev-20260527

Coordinate: oci.grc.store/complytime/repo-branch-protection:dev-20260527
Manifest digest: sha256:53489838f56fb059c1ad9705ee8485544d4bed47d09aa73244d3be093e905b57

Provenance

1 layer

Digest	Media type	Size
4d790e0b1954…	application/vnd.gemara.artifact.v1+yaml	2.6 KiB

Bundle config blob

{
  "bundle-version": "1.0",
  "gemara-version": "1.1.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "repo-branch-protection",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "complytime/repo-branch-protection",
            "tag": "dev-20260527"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/complytime-policies",
          "GITHUB_RUN_ATTEMPT": "2",
          "GITHUB_RUN_ID": "26524275168",
          "GITHUB_SHA": "35c30860a105d3c2572aade482dfdaa8a28312cc",
          "GITHUB_WORKFLOW": "Publish to grc.store",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "governance/catalogs/ampel-branch-protection-catalog.yaml",
            "uri": "file://governance/catalogs/ampel-branch-protection-catalog.yaml",
            "digest": {
              "sha256": "4d790e0b1954ded35c3dd53f8eb5d7b4d927db15b6fab3c01ff50612084db8e0"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/complytime-policies@35c30860a105d3c2572aade482dfdaa8a28312cc",
            "digest": {
              "gitCommit": "35c30860a105d3c2572aade482dfdaa8a28312cc"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/complytime-policies/actions/runs/26524275168",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.1.2"
          }
        },
        "metadata": {
          "invocationId": "26524275168-2",
          "startedOn": "2026-05-27T16:29:31.10981307Z",
          "finishedOn": "2026-05-27T16:29:31.743302325Z"
        },
        "byproducts": [
          {
            "name": "ampel-branch-protection-catalog.yaml",
            "digest": {
              "sha256": "4d790e0b1954ded35c3dd53f8eb5d7b4d927db15b6fab3c01ff50612084db8e0"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "ampel-branch-protection-catalog.yaml",
      "type": "ControlCatalog",
      "id": "repo-branch-protection",
      "role": "artifact"
    }
  ]
}

Branch Protection Controls

Branch protection controls for GitHub/GitLab repositories

ID: repo-branch-protection
Version: dev-20260527
Gemara version: 1.1.0
Author: ComplyTime

Source Code Protection

Controls for protecting source code repositories via branch protection rules

BP-1 Require Pull Request Reviews
Objective
Ensure changes to protected branches go through a pull request process
Assessment requirements
1. Direct pushes to protected branches MUST be blocked
  Applicability: github-repos, gitlab-repos
BP-2 Require Minimum Approvals
Objective
Pull requests to protected branches must have a minimum number of approvals
Assessment requirements
1. Pull requests must require a minimum number of approvals
  Applicability: github-repos, gitlab-repos
BP-3 Restrict Force Pushes
Objective
Force pushes to protected branches must be blocked
Assessment requirements
1. Force pushes to protected branches must be blocked
  Applicability: github-repos, gitlab-repos
BP-4 Prevent Admin Bypass
Objective
Admin bypass of branch protection rules must be prevented
Assessment requirements
1. Admin bypass prevention must be enabled on protected branches
  Applicability: github-repos, gitlab-repos
BP-5 Require Code Owner Review
Objective
Code owner review must be required when CODEOWNERS file exists
Assessment requirements
1. Code owner review requirements must be enabled
  Applicability: github-repos, gitlab-repos

Install

Provenance

Source Code Protection

Objective

Assessment requirements

Objective

Assessment requirements

Objective

Assessment requirements

Objective

Assessment requirements

Objective

Assessment requirements