Skip to main content
Private preview. fremforge is in private preview — invited customers only. Content is still subject to change. Request access →
Security
Branch protection

Branch protection

Branch protection on fremforge follows the upstream Forgejo model: rules attach to branches by glob pattern, enforce review + status + history requirements, and block writes that violate them. fremforge adds org-wide defaults so the same posture applies to every repo without per-repo configuration drift.

Org defaults vs per-repo overrides

Admin → Code security → Branch defaults sets the rules that apply to every repo in the org. The defaults configure each repo’s main (or whatever your default branch is) on creation, and the daily reconciler re-applies them to existing repos so deletes / manual edits drift back into compliance.

Per-repo overrides live on the repo settings page (/<org>/<repo>/settings/branches). Override only when the repo has a genuine policy exception — most teams set the org default once and never touch repo-level rules.

Settings that map directly to Forgejo

  • Require pull request reviews before merging. Set a minimum reviewer count (typically 1 or 2). Dismiss stale reviews on push to prevent rubber-stamps from surviving a force-amend.
  • Require status checks to pass before merging. Name the status contexts that must report success — typically code-build, dep-scan, sast. See SAST for the full status-check catalog fremforge maintains.
  • Require signed commits. When on, unsigned commits on the protected branch are rejected at push. See Cosign for the commit-signing path with Sigstore short-lived certs.
  • Require linear history. Refuses merge commits — every change to the protected branch is a rebase or fast-forward.
  • Block force pushes. Refuses --force on the protected branch entirely.
  • Block branch deletion. Refuses delete operations on the protected branch.

Settings fremforge adds on top

  • Enforce on org owners. Forgejo lets you exempt org owners from branch protection. fremforge inverts the default: owners are subject to the same protection as members. The escape hatch is documented in the runbook for incident response (rare).
  • Status-check allowlist for fremforge-emitted checks. The contexts fremforge/dep-scan, fremforge/image-scan, fremforge/secret-scan, fremforge/sast are the canonical names. If you require these, the daily reconciler validates that they’re listed.
  • Drift detector. The daily branch-defaults reconciler reports any repo whose protection differs from the org default. The Bell alert “Branch protection drift” fires when ≥1 repo is out of compliance.

Setting it up

  1. Open Admin → Code security → Branch defaults.
  2. Pick the branch glob (typically main or main, master, release/*).
  3. Set the toggles above. Save.
  4. The org-wide apply runs immediately. Watch the audit log entry policy.branch-defaults.org-wide-apply for the per-repo result list.

See also

  • Scorecard — branch protection drives the Branch-Protection OpenSSF score.
  • Authentication policy — the broader posture (signed commits, SSH transport, MFA).
  • Cosign — required-signed-commits implementation.
Severity SLAsWeekly digest