ISSUE-501 Critical Quick Access and Authorization
Branch protection missing
Control: Branch must be protected · Config key: branchMustBeProtected
📋 What is this?
A branch is not protected on the repository.
⚠️ Impact
Unprotected branches are highly vulnerable to unauthorized modifications. For instance, any member can push malicious code directly to your production branch without any review or validation.
🔧 How to fix
Enable branch protection on the branch to restrict changes to authorized users only.
✗ Before The `main` branch has no protection, violating the policy.
# GitLab project settings — ❌ Branch not protected# Branch "main" has no protection rules# Anyone with Developer access can:# - Push directly# - Force push# - Delete the branch
# .plumber.yaml configuration requiring protection:branchMustBeProtected: enabled: true defaultMustBeProtected: true namePatterns: - main - release/*✓ After Proper branch protection with restricted push access and code review requirements.
# GitLab project settings — ✅ Branch properly protected# Settings > Repository > Protected Branches:## Branch: main# Allowed to merge: Developers + Maintainers# Allowed to push: Maintainers# Allow force push: No# Code owner approval required: Yes
# .plumber.yamlbranchMustBeProtected: enabled: true defaultMustBeProtected: true namePatterns: - main - release/* allowForcePush: false codeOwnerApprovalRequired: true minMergeAccessLevel: 30 # Developer minPushAccessLevel: 40 # Maintainer💡 Tips
- Use
namePatternswith wildcards to protect branch families (e.g.,release/*). - Set
minPushAccessLevel: 40(Maintainer) to prevent developers from pushing directly. - Enable
codeOwnerApprovalRequiredif you use a CODEOWNERS file.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
branchMustBeProtected:
enabled: trueSee the CLI documentation for the full configuration reference.