From 4dc4ca06af39f4b78437d724d4212bda07817cc3 Mon Sep 17 00:00:00 2001 From: Yousif Akbar <11247449+yhakbar@users.noreply.github.com> Date: Thu, 9 Oct 2025 15:16:28 -0400 Subject: [PATCH] docs: Adding callout for branch protection security improvements --- .../docs/pipelines/installation/branch-protection.mdx | 10 ++++++++++ .../pipelines/installation/gitlab-branch-protection.md | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/docs/2.0/docs/pipelines/installation/branch-protection.mdx b/docs/2.0/docs/pipelines/installation/branch-protection.mdx index 399ca57d4..c8766542f 100644 --- a/docs/2.0/docs/pipelines/installation/branch-protection.mdx +++ b/docs/2.0/docs/pipelines/installation/branch-protection.mdx @@ -34,6 +34,16 @@ Below is an example of the recommended branch protection settings: GitHub Enterprise customers can also configure [push rulesets](https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets#push-rulesets). This feature allows restricting edits to `.github/workflows` files, ensuring infrastructure changes are properly reviewed and approved through Pipelines. Follow the documentation [here](https://docs.github.com/en/enterprise-cloud@latest/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository#creating-a-push-ruleset) to enable push rulesets if available. ::: +## Securing User Accounts + +Branch protection rules are only effective if you are confident that the users who have access to your repository are legitimate and trusted. + +You can improve your security posture by ensuring that: + +1. [User accounts have Multi-Factor Authentication (MFA) enabled](https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication). +2. [User accounts don't have compromised credentials](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure). +3. [User accounts are granted access to infrastructure-live repositories on a least privilege basis](https://en.wikipedia.org/wiki/Principle_of_least_privilege). + ## Pull Request Workflow 1. Developers make infrastructure changes on a branch and create a pull request (PR) against the default branch. diff --git a/docs/2.0/docs/pipelines/installation/gitlab-branch-protection.md b/docs/2.0/docs/pipelines/installation/gitlab-branch-protection.md index 51d936034..ddfa7a80c 100644 --- a/docs/2.0/docs/pipelines/installation/gitlab-branch-protection.md +++ b/docs/2.0/docs/pipelines/installation/gitlab-branch-protection.md @@ -15,6 +15,16 @@ Below is an example of the recommended GitLab branch protection settings: ![GitLab Branch Protection Settings](/img/pipelines/gitlab_branch_protection.png) +## Securing User Accounts + +Branch protection rules are only effective if you are confident that the users who have access to your repository are legitimate and trusted. + +You can improve your security posture by ensuring that: + +1. [User accounts have Multi-Factor Authentication (MFA) enabled](https://docs.gitlab.com/user/profile/account/two_factor_authentication/). +2. [User accounts don't have compromised credentials](https://docs.gitlab.com/auth/auth_practices/). +3. [User accounts are granted access to infrastructure-live repositories on a least privilege basis](https://en.wikipedia.org/wiki/Principle_of_least_privilege). + ## Merge Request Workflow 1. Developers make infrastructure changes on a branch and create a merge request (MR) against the default branch.