GitHub branch protection does not require signed commits.
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Service | branch_protections |
| Provider | GitHub |
| Vulnerability Type | omission |
Description#
Branch protection rules on GitHub are configured without requiring signed commits, allowing unsigned or unverified commits to be pushed to protected branches. This weakens the trustworthiness of commit history and increases the risk of unauthorized changes.
Impact#
Without enforcing signed commits, attackers or unauthorized users could introduce unverified changes to critical branches, making it difficult to trace the origin of code and increasing the risk of malicious or unauthorized code being merged into production.
Resolution#
Require signed commits