Ensure admins are subject to branch protection rules
Why this matters
Administrators have elevated permissions and can override most repository restrictions by default.
If branch protection rules do not apply to admins, they can merge or push code directly to protected branches without reviews or checks, bypassing security and quality controls.
Enforcing branch protection for administrators ensures that:
- All contributors, regardless of role, follow the same review and merge process
- Critical branches (like
mainorproduction) remain protected from unreviewed changes - The repository maintains consistent compliance with secure development standards
Without this safeguard, even well-intentioned administrative actions can introduce untested or insecure code.
What this check does
This check verifies that “Include administrators” is enabled in the branch protection rules for all protected branches.
When active, this setting enforces the same restrictions—such as required reviews, status checks, and merge rules—on administrators as it does on other users.
How to fix it
From the GitHub Web Console
Go to your repository on GitHub.
- Navigate to Settings → Branches.
- Under Branch protection rules, click Add rule or edit an existing one.
- Scroll to the bottom of the rule configuration.
- Check Include administrators to apply all protection rules to admin users.
- Click Save changes.
Once enabled, administrators will be required to meet all protection criteria before merging or pushing to the protected branch.
Exceptions
- Admins can still change or remove the protection rule itself if they have repository admin rights.
- This control only applies to branches covered by existing protection rules.
- Organizations using mandatory review policies through GitHub Enterprise may already enforce this globally.