Control: 1.1.12 Ensure verification of signed commits for new changes before merging
Ensure every commit in a pull request is signed and verified before merging.
Signing commits, or requiring to sign commits, gives other users confidence about the origin of a specific code change. It ensures that the author of the change is not hidden and is verified by the version control system, thus the change comes from a trusted source.
Note: Pull requests with unsigned commits cannot be merged.
Ensure only signed commits can be merged for every branch, especially the main branch, via branch protection rules.
For each repository in use, enforce the branch protection rule of requiring signed commits, and make sure only signed commits are capable of merging.
Run the control in your terminal:
steampipe check github_compliance.control.cis_supply_chain_v100_1_1_12
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share github_compliance.control.cis_supply_chain_v100_1_1_12
This control uses a named query:default_branch_requires_signed_commits