Ensure at least two approvals are required before merging code
Why this matters
Requiring multiple approvals before merging code ensures that every change is reviewed by more than one team member, reducing the risk of introducing security vulnerabilities, logic errors, or non-compliant changes.
This control enforces peer review, supports separation of duties, and aligns with secure development and change management practices.
Without a minimum of two approvals, a single reviewer could inadvertently approve and merge risky code, increasing the likelihood of defects or security issues reaching production.
What this check does
This check verifies that:
- A branch protection rule exists for the repository’s main or protected branch (e.g.,
main
,master
, orproduction
). - The “Require pull request reviews before merging” setting is enabled.
- The number of required approving reviews is set to 2 or more.
If the rule is missing or configured with fewer than two required approvals, the check will fail or return “Unable to verify.”
How to fix it
From the GitHub Web Console
- Go to the repository on GitHub.
- Navigate to Settings → Branches.
- Under Branch protection rules, click Add rule or edit an existing one.
- Under Protect matching branches, enter the branch name pattern (e.g.,
main
). - In the Pull request reviews section:
- Check Require pull request reviews before merging.
- Set Require x approving reviews to 2 or more. - Click Create or Save changes.
Once configured, GitHub will enforce that each pull request must receive at least two approving reviews before merge.
Exceptions
- Admins can bypass this restriction unless “Include administrators” is enabled in the protection rule.
- The rule applies only to branches that match the configured name pattern.
- If dismiss stale pull request approvals is enabled, new commits after approval will require reviewers to re-approve before merging.