Branch protection configuration not compliant
Control: Branch must be protected · Config key: branchMustBeProtected
📋 What is this?
The branch protection configuration does not meet the security requirements defined in your Policy controls. The branch settings allow unauthorized access levels, force push capabilities, or bypass code owner approval requirements.
⚠️ Impact
Non-compliant branch protection settings can lead to unauthorized code changes, security vulnerabilities, and compliance issues. This includes risks such as loss of commit history through force push, unauthorized code merges, and direct pushes to protected branches without proper validation.
🔧 How to fix
Update the branch protection settings to comply with your Policy controls requirements by enforcing proper access controls, disabling force push, and requiring code owner approvals for all changes.
# GitLab settings — ❌ Protection exists but is too permissive# Branch: main# Allowed to push: Developers + Maintainers (too permissive)# Allow force push: Yes (dangerous)# Code owner approval required: No (missing review)
# Required by .plumber.yaml:# minPushAccessLevel: 40 (Maintainer only)# allowForcePush: false# codeOwnerApprovalRequired: true# GitLab settings — ✅ Protection meets requirements# Branch: main# Allowed to merge: Developers + Maintainers# Allowed to push: Maintainers only# Allow force push: No# Code owner approval required: Yes
# Matches .plumber.yaml:branchMustBeProtected: enabled: true allowForcePush: false codeOwnerApprovalRequired: true minMergeAccessLevel: 30 minPushAccessLevel: 40💡 Tips
- Plumber checks each setting independently — the output shows exactly which settings are non-compliant.
- Access levels: 0 = No one, 30 = Developer, 40 = Maintainer.
- Force push should almost always be disabled on production branches.
⚙️ Configuration
This control is configured in .plumber.yaml under the key:
controls:
branchMustBeProtected:
enabled: trueSee the CLI documentation for the full configuration reference.