DOS6040

Protected branch should not allow force push

DOS6040

GitLab repository Severityhigh builtIn

Description

Protected branches should set allow_force_push = false. Force push rewrites history on the protected branch, breaking downstream clones and bypassing the audit trail of merge-request reviews. Even Maintainers should not have force-push privilege on critical branches.

Learn More

Recommendation

1. Go to project Settings > Repository > Protected branches. 
2. For each protected branch, ensure Allowed to force push is empty (no roles selected). 
3. Save changes.

Policy Rule

{
  "target": "GLProtectedBranch",
  "if": {
    "allOf": [
      {
        "resource": "GLProtectedBranch",
        "property": "AllowForcePush",
        "operator": "equals",
        "value": false
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS6039 DOS6041 »
Rule Details
  • Rule ID: DOS6040
  • Code: GL_Branch_ForcePush_Should_Be_Disabled
  • Platform: GitLab
  • Category: repository
  • Severity: Severityhigh
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2