How to Use Branch Protection as a Compliance Control
Branch protection that blocks force pushes and deletions makes the main branch history append only, which is exactly what change-control audits look for.
Branch protection is more than hygiene; it is a control you can point an auditor to. Block force pushes and branch deletion, require linear history, and require the change process to run. This page is educational configuration guidance.
Steps
- Disallow force pushes and deletions on the default branch.
- Require a pull request, approvals, and passing status checks before merge.
- Require linear history so the audit trail stays readable.
- Include administrators so the control applies to everyone.
Branch protection via API
Terminal
gh api -X PUT repos/acme/app/branches/main/protection --input - <<'JSON'
{
"required_status_checks": { "strict": true, "contexts": ["build", "test"] },
"enforce_admins": true,
"required_pull_request_reviews": { "required_approving_review_count": 2 },
"restrictions": null,
"allow_force_pushes": false,
"allow_deletions": false,
"required_linear_history": true
}
JSONNotes
- "enforce_admins": true prevents the classic gap where admins bypass the control.
- Blocking force pushes is what keeps the history tamper evident.
Related guides
How to Enforce Required Reviewers for CI Change ManagementEnforce required pull request reviewers and approvals in GitHub as a SOC 2 change management control, so no c…
How to Use Required Status Checks as ControlsMake security and compliance jobs required status checks in GitHub so a pull request cannot merge until the s…
How to Require Signed Commits in CIRequire signed commits with a GitHub ruleset and verify signatures in CI, so every change in the audit trail…