Security check

GitHub branch protection: stop unsafe code reaching production

An unprotected main branch means anyone with write access can push straight to production β€” no review, no CI. We check branch protection per repo across your whole org.

Run a free domain scan All checks β†’
Relates to: NIS2 Β· art. 21 β€” secure development ISO 27001 Β· A.8.28 secure coding SOC 2 Β· CC8.1 change management OWASP Β· CI/CD-SEC

What we check

We read the branch protection rules on your default branches: do you require pull request review, green status checks, signed commits, linear history β€” and can admins bypass it all with a direct push?

Why it matters

Change management is a core control in SOC 2, ISO 27001 and NIS2. An unprotected branch is also the easiest path for a compromised developer key to slip backdoors into production unseen.

How Security Guru tests it

Common mistakes

  • Branch protection on 'main' but code merges to 'master' or 'develop'
  • Admins allowed to bypass the rules (enforce_admins off)
  • Required reviews set to 0 β€” the rule exists but requires no reviewer
  • New repos inherit no protection (no org default)

What you get in the report

  • Protection status per repo β€” green/red with exactly what's missing
  • Repos with no protected branch at all
  • Recommended org baseline and how to set it
  • Mapping to SOC 2 CC8.1 / ISO A.8.28 / NIS2

FAQ

Do you clone our code?

For the branch-protection check: no β€” we only read repo settings via the GitHub API. Deeper repo scanning (secrets/dependencies) is a separate, optional step.

What access is needed?

A read token with repo and org read. We never write anything to your repos.

Do you cover GitHub Enterprise?

Yes, both github.com orgs and GitHub Enterprise Cloud.

Want to know your status?

Run a free scan or order a full Security Assessment β€” prioritised, not noise.

Run a free domain scan