TF 0477 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
GitHub branch protection does not require signed commits.
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Service | branch_protections |
| Provider | GitHub |
| Vulnerability Type | omission |
Description
Branch protection rules on GitHub are configured without requiring signed commits, allowing unsigned or unverified commits to be pushed to protected branches. This weakens the trustworthiness of commit history and increases the risk of unauthorized changes.
Impact
Without enforcing signed commits, attackers or unauthorized users could introduce unverified changes to critical branches, making it difficult to trace the origin of code and increasing the risk of malicious or unauthorized code being merged into production.
Resolution
Require signed commits