How to resolve Sprinto check for enabling branch protection rules

In this article:

• About

• Purpose

• How to resolve

  • 1. Github

  • 2. Gitlab

  • 3. Bitbucket

  • 4. AWS CodeCommit

  • 5. Azure DevOps

About

Sprinto check: Branch Protection rules should be enforced for admins

This Sprinto check activates upon integrating your code hosting service with Sprinto, triggering when no branch protection rules are configured on your integrated service provider account. Branch protection rules are essential security configurations designed to safeguard production code, ensuring that changes undergo thorough review before being pushed.

Purpose

The purpose of this check is to guarantee the implementation of proper security configurations, such as code peer review and merge request approval, on repositories hosting production code. This method introduces an additional layer of security, preventing any sudden or malicious changes from being pushed to the code repository. Branch protection rules contribute to meeting the data compliance requirements associated with change management.

How to resolve

To resolve this sprint check, you need to enable the branch protection rules on your code hosting service. Follow the below procedure for various code hosting services that you use.

1. Github

Follow the below procedure to enable branch protection rules on Github:

Video Guide

Before you begin

• Ensure you are on the Team plan on GitHub.

• Ensure you have “Admin” privileges on your GitHub account to modify security configuration.

Procedure

1. Log in to Github with your credentials, and navigate to the main page of the repository.

2. Under the repository name, click on Settings.

3. On the sidebar under the Code and Automation section, click Branches.

4. Click Add rule next to the Branch protection rules.

5. Under the Branch name pattern, type the branch name or pattern you want to protect.

6. Enable required pull requests:

   • Select Require a pull request before merging.

   • Optionally, if you want to configure an approval requirement before any merge request:

     1. Select Require approvals.

     2. Set the required number of approvals from the drop-down menu.

7. Select Require status checks to pass before merging. Note: In case you cannot enable the status check rule, you can request mSprinto support to disable this check for you.

8. Select Do not allow bypassing the above settings to enforce these to administrators.

9. Ensure Dependabot, a free Dependency Vulnerability scanner, is enabled on all production repositories.

   • Go to the repository main page on your GitHub account.

   • Under your repository name, click Settings.

   • On the sidebar under the Security section, click Code Security and analysis.

   • On Code security and analysis page, click Enable next to Dependabot alerts.

2. Gitlab

Follow the below procedure to enable branch protection rules on Gitlab:

Video Guide

Before you begin

• Ensure you are on the Gitlab premium plan.

• Ensure you have “Admin” privileges on the Gitlab account to modify security configuration.

Procedure

Note: Repeat the procedure below for each Gitlab project and group with code repositories with production-side code.

1. Go to Projects > Your Project.

2. Go to Settings > Repositories > Protected branches:

   1. Ensure the required checks are in place.

3. Go to Settings > General > Merge Request:

   1. Ensure the required checks are in place.

4. Now, from main menu, go to Groups > Your groups.

5. Select a project with production repositories, and :

• Click on Settings > General > Merge Request Approvals.

• Set the number of approvals required to 1.

• Click on Add approval rule.

• Configure approval settings.

3. Bitbucket

Follow the below procedure to enable branch protection rules on Bitbucket:

Before you begin

• Ensure you are on the Bitbucket premium plan.

• Ensure you have “Admin” access on the Bitbucket account to modify the security configuration.

Procedure

1. Log in to your Bitbucket account.

2. Click on Repositories under the main menu.

3. Click Repository settings.

4. On the sidebar, under the Workflow section, click Branch Restrictions.

5. Ensure settings are set as mentioned.

6. Ensure a Dependency Vulnerability scanner is enabled on all production repositories. Note: Bitbucket doesn't have a built-in free dependency scanner like Github. You can try SLscan or Snyk.

4. AWS CodeCommit

Follow the below procedure for enabling branch protection rules on AWS CodeCommit:

Before you begin

• Approval rules for pull requests.

• Managed policies for approval rule templates.

Procedure

• Refer to AWS CodeCommit documentation for setting up approval rule templates. See Permissions for actions on approval rule templates and AWS-managed policies for CodeCommit.

• Ensure a Dependency Vulnerability scanner is enabled on all production repositories. Note: AWS CodeCommit doesn't have a built-in free dependency scanner like Github. You can try SLscan or Snyk.

5. Azure DevOps

Follow the below procedure to enable branch protection rules on Azure DevOps:

Before you begin

• Ensure you have access to manage the branch policies on Azure DevOps.

• Ensure that the policies are enabled at the branch level.

Procedure

1. Select Repos > Branches in the Azure DevOps web portal to manage branch policies.

2. Search for the branch and choose Branch policies.

• Enable Require a minimum number of reviewers and set the required number (at least 1).

Note: Policies should be enabled at the branch level as they are not synced from Project level settings.

Applying these branch protection rules ensures a secure and compliant development practice across all production repositories tracked by Sprinto. Sprinto retrieves the changes and sets the Sprinto check for branch protection to “Passing.” If you need any assistance with the Sprinto check, please get in touch with Sprinto Support.