GRC Store

Search / complytime/repo-branch-protection / dev-20260527.0

Release · dev-20260527.0

complytime/repo-branch-protection Control Catalog

complytime/repo-branch-protection

Branch protection controls for GitHub/GitLab repositories

Published by ComplyTime

Install

OCI v1.1
$grcli unpack --repository complytime/repo-branch-protection --tag dev-20260527.0
Coordinate
oci.grc.store/complytime/repo-branch-protection:dev-20260527.0
Manifest digest
sha256:5f3b0d9d7c9d450121ac660217b41b9eff185e68567b56122ece4d3d872ad213

Provenance

1 layer
Digest Media type Size
564f713260e8… application/vnd.gemara.artifact.v1+yaml 2.6 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "1.1.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "repo-branch-protection",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "complytime/repo-branch-protection",
            "tag": "dev-20260527.0"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/complytime-policies",
          "GITHUB_RUN_ATTEMPT": "1",
          "GITHUB_RUN_ID": "26525787099",
          "GITHUB_SHA": "b67938bd57574da7aed912bd45c918c36e9bdd02",
          "GITHUB_WORKFLOW": "Publish to grc.store",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "governance/catalogs/ampel-branch-protection-catalog.yaml",
            "uri": "file://governance/catalogs/ampel-branch-protection-catalog.yaml",
            "digest": {
              "sha256": "564f713260e8309b76e79f4b540dd79a7d9848b4ebdd802414dcb6d965c2b925"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/complytime-policies@b67938bd57574da7aed912bd45c918c36e9bdd02",
            "digest": {
              "gitCommit": "b67938bd57574da7aed912bd45c918c36e9bdd02"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/complytime-policies/actions/runs/26525787099",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.1.2"
          }
        },
        "metadata": {
          "invocationId": "26525787099-1",
          "startedOn": "2026-05-27T16:55:44.926113317Z",
          "finishedOn": "2026-05-27T16:55:45.438222109Z"
        },
        "byproducts": [
          {
            "name": "ampel-branch-protection-catalog.yaml",
            "digest": {
              "sha256": "564f713260e8309b76e79f4b540dd79a7d9848b4ebdd802414dcb6d965c2b925"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "ampel-branch-protection-catalog.yaml",
      "type": "ControlCatalog",
      "id": "repo-branch-protection",
      "role": "artifact"
    }
  ]
}

Branch Protection Controls

Branch protection controls for GitHub/GitLab repositories

ID
repo-branch-protection
Version
dev-20260527.0
Gemara version
1.1.0
Author
ComplyTime

Source Code Protection

Controls for protecting source code repositories via branch protection rules

  1. BP-1 Require Pull Request Reviews

    Objective

    Ensure changes to protected branches go through a pull request process

    Assessment requirements

    1. Direct pushes to protected branches MUST be blocked

      Applicability: github-repos, gitlab-repos

  2. BP-2 Require Minimum Approvals

    Objective

    Pull requests to protected branches must have a minimum number of approvals

    Assessment requirements

    1. Pull requests must require a minimum number of approvals

      Applicability: github-repos, gitlab-repos

  3. BP-3 Restrict Force Pushes

    Objective

    Force pushes to protected branches must be blocked

    Assessment requirements

    1. Force pushes to protected branches must be blocked

      Applicability: github-repos, gitlab-repos

  4. BP-4 Prevent Admin Bypass

    Objective

    Admin bypass of branch protection rules must be prevented

    Assessment requirements

    1. Admin bypass prevention must be enabled on protected branches

      Applicability: github-repos, gitlab-repos

  5. BP-5 Require Code Owner Review

    Objective

    Code owner review must be required when CODEOWNERS file exists

    Assessment requirements

    1. Code owner review requirements must be enabled

      Applicability: github-repos, gitlab-repos