Table: github_branch_protection - Query GitHub Branch Protections using SQL
GitHub Branch Protection is a feature within GitHub that allows you to define certain rules for branches, particularly those that are part of the project's deployment process. These rules can include required status checks, required pull request reviews, and restrictions on who can push to the branch. Branch Protection helps maintain code integrity by enforcing workflow policies and preventing force pushes and accidental deletions.
Table Usage Guide
The github_branch_protection table provides insights into branch protection rules within GitHub. As a DevOps engineer or a repository manager, explore branch-specific details through this table, including the enforcement of status checks, pull request reviews, and push restrictions. Utilize it to uncover information about branch protections, such as those with strict requirements, the enforcement of signed commits, and the restrictions on who can push to the branch.
Important Notes
- You must specify the
repository_full_namecolumn inwhereorjoinclause to query the table.
Examples
List all branch protection rules for a repository
Explore the safety measures applied to a specific repository to understand its level of protection against unauthorized changes.
select *from github_branch_protectionwhere repository_full_name = 'turbot/steampipe';select *from github_branch_protectionwhere repository_full_name = 'turbot/steampipe';Get a single branch protection rule by node id
Explore the specific rules and restrictions applied to a particular branch in a GitHub repository. This can be useful for understanding how different branches are managed and protected, and to ensure compliance with best practices for code review and collaboration.
select node_id, matching_branches, is_admin_enforced, allows_deletions, allows_force_pushes, blocks_creations, creator_login, dismisses_stale_reviews, lock_allows_fetch_and_merge, lock_branch, require_last_push_approval, requires_approving_reviews, requires_commit_signatures, restricts_pushes, push_allowance_apps, push_allowance_apps, push_allowance_usersfrom github_branch_protectionwhere node_id = 'BPR_xxXXXX0X0X0XXXX0';select node_id, matching_branches, is_admin_enforced, allows_deletions, allows_force_pushes, blocks_creations, creator_login, dismisses_stale_reviews, lock_allows_fetch_and_merge, lock_branch, require_last_push_approval, requires_approving_reviews, requires_commit_signatures, restricts_pushes, push_allowance_apps, push_allowance_apps, push_allowance_usersfrom github_branch_protectionwhere node_id = 'BPR_xxXXXX0X0X0XXXX0';List branch protection rules which are not currently utilised
Determine the areas in which branch protection rules are not being used within the 'turbot/steampipe' repository. This can help in identifying unused rules and optimizing the repository's security configuration.
select *from github_branch_protectionwhere repository_full_name = 'turbot/steampipe' and matching_branches = 0;select *from github_branch_protectionwhere repository_full_name = 'turbot/steampipe' and matching_branches = 0;Get repositories that require signed commits for merging
Explore which branches in the 'turbot/steampipe' repository have a policy requiring signed commits for merging. This can help maintain code integrity by ensuring only verified changes are merged.
select repository_full_name, pattern, matching_branchesfrom github_branch_protectionwhere repository_full_name = 'turbot/steampipe' and requires_commit_signatures = true;select repository_full_name, pattern, matching_branchesfrom github_branch_protectionwhere repository_full_name = 'turbot/steampipe' and requires_commit_signatures = 1;Schema for github_branch_protection
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| allows_deletions | boolean | If true, allow users with push access to delete matching branches. | |
| allows_force_pushes | boolean | If true, permit force pushes for all users with push access. | |
| blocks_creations | boolean | If true, indicates that branch creation is a protected operation. | |
| bypass_force_push_allowance_apps | jsonb | Applications can force push to the branch only if in this list. | |
| bypass_force_push_allowance_teams | jsonb | Teams can force push to the branch only if in this list. | |
| bypass_force_push_allowance_users | jsonb | Users can force push to the branch only if in this list. | |
| bypass_pull_request_allowance_apps | jsonb | Applications can bypass pull requests to the branch only if in this list. | |
| bypass_pull_request_allowance_teams | jsonb | Teams can bypass pull requests to the branch only if in this list. | |
| bypass_pull_request_allowance_users | jsonb | Users can bypass pull requests to the branch only if in this list. | |
| creator_login | text | The login of the user whom created the branch protection rule. | |
| dismisses_stale_reviews | boolean | If true, new commits pushed to matching branches dismiss pull request review approvals. | |
| id | bigint | The ID of the branch protection rule. | |
| is_admin_enforced | boolean | If true, enforce all configured restrictions for administrators. | |
| lock_allows_fetch_and_merge | boolean | If true, users can pull changes from upstream when the branch is locked. | |
| lock_branch | boolean | If true, matching branches are read-only and cannot be pushed to. | |
| login_id | text | =, !=, ~~, ~~*, !~~, !~~* | Unique identifier for the user login. |
| matching_branches | bigint | Count of branches which match this rule. | |
| node_id | text | = | The Node ID of the branch protection rule. |
| pattern | text | The protection rule pattern. | |
| push_allowance_apps | jsonb | Applications can push to the branch only if in this list. | |
| push_allowance_teams | jsonb | Teams can push to the branch only if in this list. | |
| push_allowance_users | jsonb | Users can push to the branch only if in this list. | |
| repository_full_name | text | = | The full name of the repository (login/repo-name). |
| require_last_push_approval | boolean | If true, the most recent push must be approved by someone other than the person who pushed it. | |
| required_approving_review_count | bigint | Number of approving reviews required to update matching branches. | |
| required_deployment_environments | jsonb | List of required deployment environments that must be deployed successfully to update matching branches. | |
| required_status_checks | jsonb | Status checks that must pass before a branch can be merged into branches matching this rule. | |
| requires_approving_reviews | boolean | If true, approving reviews required to update matching branches. | |
| requires_code_owner_reviews | boolean | If true, reviews from code owners are required to update matching branches. | |
| requires_commit_signatures | boolean | If true, commits are required to be signed by verified signatures. | |
| requires_conversation_resolution | boolean | If true, requires all comments on the pull request to be resolved before it can be merged to a protected branch. | |
| requires_deployments | boolean | If true, matching branches require deployment to specific environments before merging. | |
| requires_linear_history | boolean | If true, prevent merge commits from being pushed to matching branches. | |
| requires_status_checks | boolean | If true, status checks are required to update matching branches. | |
| requires_strict_status_checks | boolean | If true, branches required to be up to date before merging. | |
| restricts_pushes | boolean | If true, pushing to matching branches is restricted. | |
| restricts_review_dismissals | boolean | If true, review dismissals are restricted. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- githubYou can pass the configuration to the command with the --config argument:
steampipe_export_github --config '<your_config>' github_branch_protection