Ensure branch protection is enforced on the default branch
Why this matters
The default branch (for example, main or master) is typically the source of production deployments and represents the most critical part of your codebase.
Without branch protection, contributors—including admins—can push or merge changes directly, bypassing review, testing, or CI/CD validation.
Enforcing branch protection on the default branch ensures that:
- All commits to the primary branch are reviewed and verified
- CI/CD status checks and quality gates must pass before merge
- Direct pushes, force pushes, or unreviewed merges are prevented
Without this control, untested or unauthorized code changes could be introduced, increasing the risk of instability and security incidents.
What this check does
This check verifies that the repository’s default branch is covered by at least one branch protection rule.
A valid rule should enforce restrictions such as required reviews, passing status checks, or restricted pushes.
How to fix it
From the GitHub Web Console
- Go to the repository on GitHub.
- Navigate to Settings → Branches.
- Under Branch protection rules, click Add rule.
- In the Branch name pattern field, enter your default branch name (for example,
main). - Configure desired protections such as:
- Require pull request reviews before merging
- Require status checks to pass before merging
- Include administrators
- Require conversation resolution before merging
- Click Create or Save changes.
Once created, the default branch becomes protected, and direct pushes or unreviewed merges will be blocked.
Exceptions
- Admins can still modify or delete the protection rule unless organization policies restrict it.
- Repositories using automated pipelines may need to whitelist service accounts for merges.
- Branch protection must be configured per repository—it is not inherited organization-wide by default.