How to Use Required Status Checks as Controls
Marking a scan or policy job as a required status check turns it into a merge-blocking control that cannot be skipped.
A check is only a control if it blocks merge. This page makes named jobs required and turns on strict mode so branches must be up to date first. It is educational configuration guidance for wiring compliance jobs into the merge gate.
Steps
- Give each control job a stable name (it becomes the check context).
- Add those names to the required status checks list.
- Enable strict mode so stale branches must re-run the checks.
Name the control jobs
.github/workflows/ci.yml
jobs:
policy-gate:
name: policy-gate # this string is the required check context
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: ./run-policy.sh
sca-scan:
name: sca-scan
runs-on: ubuntu-latest
steps:
- run: ./scan.shRequire them
Terminal
gh api -X PATCH repos/acme/app/branches/main/protection/required_status_checks \
-f strict=true -f 'contexts[]=policy-gate' -f 'contexts[]=sca-scan'Notes
- A required check that never reports on some events can deadlock merges; add a placeholder job for skipped paths.
- strict=true forces the branch to include the latest main before merge, so checks reflect final code.
Related guides
How to Use Branch Protection as a Compliance ControlConfigure GitHub branch protection as a documented compliance control, blocking force pushes, deletions, and…
How to Add Policy as Code Gates With OPA and ConftestGate CI on policy as code using Open Policy Agent and conftest, failing the build when Terraform or Kubernete…
How to Add Vulnerability Gates to CIFail a GitHub Actions build on high or critical vulnerabilities with Trivy, a common SOC 2 and PCI expectatio…