Help Center
Go back to application
Help Center
Go back to application
Platform Terms GlossaryContacting Support and Reporting Bugs
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainingsGuidanceDetermining Control Applicability
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: AzureAuto Checks: GCPAuto Checks: GitHubEnabling Auto Checks by Reconfiguring the Azure IntegrationEnabling Auto Checks by Reconfiguring the GCP IntegrationEnabling Auto Checks by Reconfiguring the AWS Integration
AWS Auto Checks Detailed Explanations
Azure Auto Checks Detailed Explanations
GitHub Auto Checks Detailed Explanations
Ensure secret scanning is enabled to detect sensitive dataEnsure code owner approval is required for owned code changesEnsure at least two approvals are required before merging codeEnsure branches are deleted automatically after mergingEnsure unresolved conversations block mergesEnsure force push is disabled for all branchesEnsure admins are subject to branch protection rulesEnsure a CODEOWNERS file exists in the repositoryEnsure inactive repositories are archivedEnsure all required status checks pass before mergingEnsure linear history is enforced on the default branchEnsure branch protection is enforced on the default branchEnsure the default branch cannot be deletedEnsure vulnerability scanning is enabled for repository dependenciesEnsure public repositories include a SECURITY.md fileEnsure all organization members have MFA enabledEnsure only signed commits are accepted

Ensure a CODEOWNERS file exists in the repository

Framework Reference: A.8.25 (Secure Development Lifecycle) Integration: GitHub – Repository Configuration

Why this matters

A CODEOWNERS file defines who is responsible for specific files, directories, or components in a repository.
It enforces clear ownership and accountability by automatically requesting reviews from the designated owners when relevant files are modified.

  • Having a CODEOWNERS file ensures that:
  • Changes to sensitive or business-critical components are reviewed by the appropriate team members
  • Code reviews are consistent and traceable
  • Secure development and segregation of duties principles are upheld

Without it, ownership of files becomes ambiguous, and important changes may be merged without the necessary oversight.

What this check does

This check verifies that a valid CODEOWNERS file exists in one of the supported locations within the repository:

  • The root directory (/CODEOWNERS)
  • The .github/ directory (/.github/CODEOWNERS)
  • The docs/ directory (/docs/CODEOWNERS)
  • The check passes if a CODEOWNERS file is found in any of these paths and is properly readable by GitHub.

How to fix it

From the GitHub Web Console or via Git

  1. Create a file named CODEOWNERS in one of the following directories:
    • The root directory of the repository
    • .github/ directory
    • docs/ directory
  2. Define ownership rules using the format:
    *.js        @frontend-team
    /infra/     @devops-leads
    *.py        @backend-team
  3. Commit and push the CODEOWNERS file to the default branch.
  4. Ensure that the file syntax follows GitHub’s pattern-matching rules and that all mentioned users or teams have access to the repository.

Once the file is committed, GitHub will automatically request reviews from the specified code owners whenever matching files are changed in a pull request.

Exceptions

  • A CODEOWNERS file only takes effect if it is located in one of the three supported directories.
  • Invalid patterns, typos in usernames, or teams without access to the repository will prevent GitHub from applying ownership rules.
  • Organizations using branch protection with “Require review from Code Owners” depend on this file being valid and present.

Further Resources

Was this article helpful?

Powered by Product Fruits