DOS6044: Protected branch name should not be a wildcard '*' | Security KB - DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps.

This website stores cookies on your computer.These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, please review our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.
By clicking “Accept All”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.

GitLab repository Severitymedium builtIn

Description

Protected branch entries should not use the literal wildcard '*' as their name pattern. Protecting every branch defeats the purpose of branch protection (which exists to distinguish important branches from working branches) and makes CI/CD branch-detection hostile.

Recommendation

1. Go to project Settings > Repository > Protected branches. 
2. Remove any entry where the branch pattern is '*'. 
3. Replace with specific patterns (main, release/*, prod*, etc.).

Policy Rule

{
  "target": "GLProtectedBranch",
  "if": {
    "allOf": [
      {
        "resource": "GLProtectedBranch",
        "property": "Name",
        "operator": "notEquals",
        "value": "*"
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}

« DOS6043 DOS6045 »

Rule Details

Rule ID: DOS6044
Code: GL_Branch_Name_Should_Not_Be_Wildcard_Everything
Platform: GitLab
Category: repository
Severity: Severitymedium
Type: builtIn

DOS6044

Protected branch name should not be a wildcard '*'

DOS6044

Description

Recommendation

Policy Rule

View evaluation logic (JSON)

Rule Details

Related Rules