Version artifacts in order to identify deployed features and issues. This includes application and infrastructure code, jenkins configuration, container and virtual machine images.

Risk: Deployment of untracked artifacts.

Define source code management system policies (e.g. branch protection rules, mandatory code reviews from at least one person, ...) to ensure that changes to critical branches are only possible under defined conditions. These policies can be implemented at repository level or organization level, depending on the source code management system.

Risk: Intentional or accidental alterations in critical branches like main (or master).

Mandate blocking of force pushes in the version control platform.

Risk: Misuse of force push can lead to loss of work. It may overwrite remote branches without warning, potentially erasing valuable contributions from team members. This can disrupt collaboration, cause data loss, and create confusion in the development process. Bypassing the pull request process might remove an important code review step. This increases the risk of merging low-quality or buggy code into the main branch, potentially introducing bugs in the codebase.

Implement a policy where any commits made after a pull request has been approved automatically revoke that approval, necessitating a fresh review and re-approval process.

Risk: Intentional or accidental alterations in critical branches like main (or master) through post-approval code additions.

Mandate passing of security related specified status checks, like successful builds or static application security tests, before proceeding.

Risk: Organizations risk introducing broken builds, quality issues, and security vulnerabilities into their codebase.

.gitignore files help prevent accidental commits of secrets, debug, or workstation specific data

Risk: Unintended leakage of secrets, debug, or workstation specific data

Integrate static code analysis tools in IDEs.

Risk: Insecure or unmaintainable code base.