DOS5700

Repository Rulesets - Enforcement should be 'active' (not evaluate or disabled)

DOS5700

GitHub repository Severityhigh builtIn

Description

Repository or Organization Rulesets are the modern (replacement) protection primitive for branches, tags, and pushes. The 'enforcement' field controls whether a ruleset is enforced ('active'), running in dry-run mode ('evaluate'), or completely turned off ('disabled'). For production-grade compliance, rulesets should always be 'active' so that bypass attempts are blocked rather than just observed.

Learn More

Recommendation

1. Go to Repository or Organization Settings -> Rules -> Rulesets. 
2. Open each ruleset. 
3. Set 'Enforcement status' to 'Active'.

Policy Rule

{
  "target": "GHRuleset",
  "if": {
    "allOf": [
      {
        "resource": "GHRuleset",
        "property": "Enforcement",
        "operator": "equals",
        "value": "active"
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS5600 DOS5705 »
Rule Details
  • Rule ID: DOS5700
  • Code: GH_Repository_Rulesets_Enforcement_Should_Be_Active
  • Platform: GitHub
  • Category: repository
  • Severity: Severityhigh
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2