Table: github_branch_protection - Query GitHub Branch Protections using SQL

GitHub Branch Protection is a feature within GitHub that allows you to define certain rules for branches, particularly those that are part of the project's deployment process. These rules can include required status checks, required pull request reviews, and restrictions on who can push to the branch. Branch Protection helps maintain code integrity by enforcing workflow policies and preventing force pushes and accidental deletions.

Table Usage Guide

The github_branch_protection table provides insights into branch protection rules within GitHub. As a DevOps engineer or a repository manager, explore branch-specific details through this table, including the enforcement of status checks, pull request reviews, and push restrictions. Utilize it to uncover information about branch protections, such as those with strict requirements, the enforcement of signed commits, and the restrictions on who can push to the branch.

Important Notes

You must specify the repository_full_name column in where or join clause to query the table.

Examples

List all branch protection rules for a repository

Explore the safety measures applied to a specific repository to understand its level of protection against unauthorized changes.

select
  *
from
  github_branch_protection
where
  repository_full_name = 'turbot/steampipe';

select
  *
from
  github_branch_protection
where
  repository_full_name = 'turbot/steampipe';

Get a single branch protection rule by node id

Explore the specific rules and restrictions applied to a particular branch in a GitHub repository. This can be useful for understanding how different branches are managed and protected, and to ensure compliance with best practices for code review and collaboration.

select
  node_id,
  matching_branches,
  is_admin_enforced,
  allows_deletions,
  allows_force_pushes,
  blocks_creations,
  creator_login,
  dismisses_stale_reviews,
  lock_allows_fetch_and_merge,
  lock_branch,
  require_last_push_approval,
  requires_approving_reviews,
  requires_commit_signatures,
  restricts_pushes,
  push_allowance_apps,
  push_allowance_apps,
  push_allowance_users
from
  github_branch_protection
where
  node_id = 'BPR_xxXXXX0X0X0XXXX0';

select
  node_id,
  matching_branches,
  is_admin_enforced,
  allows_deletions,
  allows_force_pushes,
  blocks_creations,
  creator_login,
  dismisses_stale_reviews,
  lock_allows_fetch_and_merge,
  lock_branch,
  require_last_push_approval,
  requires_approving_reviews,
  requires_commit_signatures,
  restricts_pushes,
  push_allowance_apps,
  push_allowance_apps,
  push_allowance_users
from
  github_branch_protection
where
  node_id = 'BPR_xxXXXX0X0X0XXXX0';

List branch protection rules which are not currently utilised

Determine the areas in which branch protection rules are not being used within the 'turbot/steampipe' repository. This can help in identifying unused rules and optimizing the repository's security configuration.

select
  *
from
  github_branch_protection
where
  repository_full_name = 'turbot/steampipe'
  and matching_branches = 0;

select
  *
from
  github_branch_protection
where
  repository_full_name = 'turbot/steampipe'
  and matching_branches = 0;

Get repositories that require signed commits for merging

Explore which branches in the 'turbot/steampipe' repository have a policy requiring signed commits for merging. This can help maintain code integrity by ensuring only verified changes are merged.

select
  repository_full_name,
  pattern,
  matching_branches
from
  github_branch_protection
where
  repository_full_name = 'turbot/steampipe'
  and requires_commit_signatures = true;

select
  repository_full_name,
  pattern,
  matching_branches
from
  github_branch_protection
where
  repository_full_name = 'turbot/steampipe'
  and requires_commit_signatures = 1;

Schema for github_branch_protection

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form, e.g. connection_name.
allows_deletions	boolean		If true, allow users with push access to delete matching branches.
allows_force_pushes	boolean		If true, permit force pushes for all users with push access.
blocks_creations	boolean		If true, indicates that branch creation is a protected operation.
bypass_force_push_allowance_apps	jsonb		Applications can force push to the branch only if in this list.
bypass_force_push_allowance_teams	jsonb		Teams can force push to the branch only if in this list.
bypass_force_push_allowance_users	jsonb		Users can force push to the branch only if in this list.
bypass_pull_request_allowance_apps	jsonb		Applications can bypass pull requests to the branch only if in this list.
bypass_pull_request_allowance_teams	jsonb		Teams can bypass pull requests to the branch only if in this list.
bypass_pull_request_allowance_users	jsonb		Users can bypass pull requests to the branch only if in this list.
creator_login	text		The login of the user whom created the branch protection rule.
dismisses_stale_reviews	boolean		If true, new commits pushed to matching branches dismiss pull request review approvals.
id	bigint		The ID of the branch protection rule.
is_admin_enforced	boolean		If true, enforce all configured restrictions for administrators.
lock_allows_fetch_and_merge	boolean		If true, users can pull changes from upstream when the branch is locked.
lock_branch	boolean		If true, matching branches are read-only and cannot be pushed to.
matching_branches	bigint		Count of branches which match this rule.
node_id	text	=	The Node ID of the branch protection rule.
pattern	text		The protection rule pattern.
push_allowance_apps	jsonb		Applications can push to the branch only if in this list.
push_allowance_teams	jsonb		Teams can push to the branch only if in this list.
push_allowance_users	jsonb		Users can push to the branch only if in this list.
repository_full_name	text	=	The full name of the repository (login/repo-name).
require_last_push_approval	boolean		If true, the most recent push must be approved by someone other than the person who pushed it.
required_approving_review_count	bigint		Number of approving reviews required to update matching branches.
required_deployment_environments	jsonb		List of required deployment environments that must be deployed successfully to update matching branches.
required_status_checks	jsonb		Status checks that must pass before a branch can be merged into branches matching this rule.
requires_approving_reviews	boolean		If true, approving reviews required to update matching branches.
requires_code_owner_reviews	boolean		If true, reviews from code owners are required to update matching branches.
requires_commit_signatures	boolean		If true, commits are required to be signed by verified signatures.
requires_conversation_resolution	boolean		If true, requires all comments on the pull request to be resolved before it can be merged to a protected branch.
requires_deployments	boolean		If true, matching branches require deployment to specific environments before merging.
requires_linear_history	boolean		If true, prevent merge commits from being pushed to matching branches.
requires_status_checks	boolean		If true, status checks are required to update matching branches.
requires_strict_status_checks	boolean		If true, branches required to be up to date before merging.
restricts_pushes	boolean		If true, pushing to matching branches is restricted.
restricts_review_dismissals	boolean		If true, review dismissals are restricted.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- github

You can pass the configuration to the command with the --config argument:

steampipe_export_github --config '<your_config>' github_branch_protection