DOS6041

Protected branch should require code owner approval

DOS6041

GitLab repository Severitymedium builtIn

Description

Protected branches should set code_owner_approval_required = true. When CODEOWNERS files declare ownership of paths, requiring code-owner approval ensures that changes touching sensitive paths (auth modules, database schemas, security configs) cannot merge without sign-off from the responsible team. Premium/Ultimate feature.

Learn More

Recommendation

1. Ensure the project has a CODEOWNERS file at the repo root or in .gitlab/ directory. 
2. Go to project Settings > Repository > Protected branches. 
3. Toggle Code owner approval required for the protected branch. 
4. Save changes.

Policy Rule

{
  "target": "GLProtectedBranch",
  "if": {
    "allOf": [
      {
        "resource": "GLProtectedBranch",
        "property": "CodeOwnerApprovalRequired",
        "operator": "equals",
        "value": true
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS6040 DOS6042 »
Rule Details
  • Rule ID: DOS6041
  • Code: GL_Branch_CodeOwnerApproval_Should_Be_Required
  • Platform: GitLab
  • Category: repository
  • Severity: Severitymedium
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2