GRC Store

Search / complytime/repo-branch-protection / dev-20260527.1

Release · dev-20260527.1

complytime/repo-branch-protection Control Catalog

complytime/repo-branch-protection

Branch protection controls for GitHub/GitLab repositories

Published by ComplyTime

Install

OCI v1.1
$grcli unpack --repository complytime/repo-branch-protection --tag dev-20260527.1
Coordinate
oci.grc.store/complytime/repo-branch-protection:dev-20260527.1
Manifest digest
sha256:ca0f3da7ed8a92a7a8fc86ec9d20f2a05da22e8d3de950c8040c580f4d815040

Provenance

1 layer
Digest Media type Size
7821c1b713d9… application/vnd.gemara.artifact.v1+yaml 2.6 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "1.1.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "repo-branch-protection",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "complytime/repo-branch-protection",
            "tag": "dev-20260527.1"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/complytime-policies",
          "GITHUB_RUN_ATTEMPT": "1",
          "GITHUB_RUN_ID": "26539707251",
          "GITHUB_SHA": "fb4320fc65d7d6d257901b0dc1fd6597855e057c",
          "GITHUB_WORKFLOW": "Publish to grc.store",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "governance/catalogs/ampel-branch-protection-catalog.yaml",
            "uri": "file://governance/catalogs/ampel-branch-protection-catalog.yaml",
            "digest": {
              "sha256": "7821c1b713d9d4c7adf6942586ae66e206c9f79279df97e0bf843bbe641211dc"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/complytime-policies@fb4320fc65d7d6d257901b0dc1fd6597855e057c",
            "digest": {
              "gitCommit": "fb4320fc65d7d6d257901b0dc1fd6597855e057c"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/complytime-policies/actions/runs/26539707251",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.1.2"
          }
        },
        "metadata": {
          "invocationId": "26539707251-1",
          "startedOn": "2026-05-27T21:26:46.811536736Z",
          "finishedOn": "2026-05-27T21:26:47.30613673Z"
        },
        "byproducts": [
          {
            "name": "ampel-branch-protection-catalog.yaml",
            "digest": {
              "sha256": "7821c1b713d9d4c7adf6942586ae66e206c9f79279df97e0bf843bbe641211dc"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "ampel-branch-protection-catalog.yaml",
      "type": "ControlCatalog",
      "id": "repo-branch-protection",
      "role": "artifact"
    }
  ]
}

Branch Protection Controls

Branch protection controls for GitHub/GitLab repositories

ID
repo-branch-protection
Version
dev-20260527.1
Gemara version
1.1.0
Author
ComplyTime

Source Code Protection

Controls for protecting source code repositories via branch protection rules

  1. BP-1 Require Pull Request Reviews

    Objective

    Ensure changes to protected branches go through a pull request process

    Assessment requirements

    1. Direct pushes to protected branches MUST be blocked

      Applicability: github-repos, gitlab-repos

  2. BP-2 Require Minimum Approvals

    Objective

    Pull requests to protected branches must have a minimum number of approvals

    Assessment requirements

    1. Pull requests must require a minimum number of approvals

      Applicability: github-repos, gitlab-repos

  3. BP-3 Restrict Force Pushes

    Objective

    Force pushes to protected branches must be blocked

    Assessment requirements

    1. Force pushes to protected branches must be blocked

      Applicability: github-repos, gitlab-repos

  4. BP-4 Prevent Admin Bypass

    Objective

    Admin bypass of branch protection rules must be prevented

    Assessment requirements

    1. Admin bypass prevention must be enabled on protected branches

      Applicability: github-repos, gitlab-repos

  5. BP-5 Require Code Owner Review

    Objective

    Code owner review must be required when CODEOWNERS file exists

    Assessment requirements

    1. Code owner review requirements must be enabled

      Applicability: github-repos, gitlab-repos