Branch protection configuration not compliant

Control: Branch must be protected · Config key: branchMustBeProtected

📋 What is this?

The branch protection configuration does not meet the security requirements defined in your Policy controls. The branch settings allow unauthorized access levels, force push capabilities, or bypass code owner approval requirements.

⚠️ Impact

Non-compliant branch protection settings can lead to unauthorized code changes, security vulnerabilities, and compliance issues. This includes risks such as loss of commit history through force push, unauthorized code merges, and direct pushes to protected branches without proper validation.

🔧 How to fix

Update the branch protection settings to comply with your Policy controls requirements by enforcing proper access controls, disabling force push, and requiring code owner approvals for all changes.

✗ Before Branch is protected but settings don't meet requirements.

# GitLab settings — ❌ Protection exists but is too permissive
# Branch: main
#   Allowed to push: Developers + Maintainers  (too permissive)
#   Allow force push: Yes                       (dangerous)
#   Code owner approval required: No            (missing review)

# Required by .plumber.yaml:
#   minPushAccessLevel: 40 (Maintainer only)
#   allowForcePush: false
#   codeOwnerApprovalRequired: true

✓ After Branch protection meets all configured requirements.

# GitLab settings — ✅ Protection meets requirements
# Branch: main
#   Allowed to merge: Developers + Maintainers
#   Allowed to push: Maintainers only
#   Allow force push: No
#   Code owner approval required: Yes

# Matches .plumber.yaml:
branchMustBeProtected:
  enabled: true
  allowForcePush: false
  codeOwnerApprovalRequired: true
  minMergeAccessLevel: 30
  minPushAccessLevel: 40

💡 Tips

Plumber checks each setting independently — the output shows exactly which settings are non-compliant.
Access levels: 0 = No one, 30 = Developer, 40 = Maintainer.
Force push should almost always be disabled on production branches.

⚙️ Configuration

This control is configured in .plumber.yaml under the gitlab section:

gitlab:
  controls:
    branchMustBeProtected:
      enabled: true

See the CLI documentation for the full configuration reference. On Plumber Platform, the same key is used in your policy configuration.

ISSUE-505 High Quick All Access and Authorization

Branch protection configuration not compliant

Control: Branch must be protected · Config key: branchMustBeProtected

📋 What is this?

A protected branch exists but the effective settings, after merging classic Branch Protection and every Repository or Organization Ruleset covering the branch, don't match the policy. Force-push may still be allowed, code-owner approval may be missing, or required status checks may be absent.

⚠️ Impact

A protected-but-misconfigured branch creates a false sense of safety. Reviewers see the green check, the workflow runs, and the UI shows a protection rule, but a critical safeguard (force-push prevention, code-owner review, required checks) is disabled in practice.

🔧 How to fix

Update whichever source carries the offending setting (the classic rule, a Repository Ruleset, or an inherited Organization Ruleset) so the merged effective configuration matches .plumber.yaml. Each non-compliant setting is listed individually in Plumber's output so you know exactly what to change.

✗ Before Ruleset exists but force-push is allowed and code-owner reviews are off.

# GitHub repo settings — ❌ Protection too permissive
# Settings > Rules > Rulesets > `main` ruleset:
#   Block force pushes: OFF        ← required by policy
#   Require pull request reviews: ON
#     Required approvals: 0        ← policy requires >= 1
#     Require review from Code Owners: OFF   ← required by policy
#
# .plumber.yaml
github:
  controls:
    branchMustBeProtected:
      enabled: true
      allowForcePush: false
      codeOwnerApprovalRequired: true
      minPullRequestReviews: 1

✓ After Each policy setting has a matching ruleset toggle enabled.

# GitHub repo settings — ✅ Settings match policy
# Settings > Rules > Rulesets > `main` ruleset:
#   Block force pushes: ON
#   Require pull request reviews: ON
#     Required approvals: 1
#     Require review from Code Owners: ON

💡 Tips

Plumber reports each non-compliant setting individually so you can see exactly what to change.
Settings are checked against the merged effective configuration. A rule disabled in classic Branch Protection but enforced by a Ruleset is treated as enforced. Stricter wins.
Force push should be disabled on every long-lived branch.
codeOwnerApprovalRequired only takes effect when a CODEOWNERS file exists in the repository.

⚙️ Configuration

This control is configured in .plumber.yaml under the github section:

github:
  controls:
    branchMustBeProtected:
      enabled: true

See the CLI documentation for the full configuration reference. On Plumber Platform, the same key is used in your policy configuration.

📋 What is this?

⚠️ Impact

🔧 How to fix

💡 Tips

⚙️ Configuration

🔗 Related issues

📋 What is this?

⚠️ Impact

🔧 How to fix

💡 Tips

⚙️ Configuration

🔗 Related issues