Branch protection
Required reviewers, signed commits, status checks, linear history
Integration · GitHub · GHEC + GHES
SDLC discipline as compliance evidence.
Branch protection, secret scanning, code scanning, Dependabot, SSO, and audit log — read once, mapped to change management, vulnerability, and access controls. Engineers see configuration. Auditors see evidence.
Six signal classes
Read every channel auditors ask about
One App install, scoped per org. Read-only by default. Optional event streaming for incident triggers.
Secret scanning
Push protection, partner-pattern detection, validity checks
Dependabot
Dependency vulnerability alerts, version updates, security PRs
Code scanning
CodeQL alerts, custom queries, SARIF results
SSO + SAML
Org-level enforcement, IP allow lists, session policies
Audit log
Streaming events, member changes, ruleset edits
Branch protection rulesets
One source of truth for change-mgmt evidence
The ruleset state on every repo is mirrored to your control library — not retyped into a spreadsheet at audit time.
- ✓Require signed commitsAll repos
- ✓Require 2 reviewersAll prod repos
- ✓Block force-push to mainAll repos
- !Linear history enforcedMissing in legacy-monolith
- ✓Status checks requiredCI green required
- ✓Conversation resolution requiredAll repos
Pre-mapped controls
Engineers ship. Compliance updates.
Branch protection + required reviews satisfy SOC 2 CC8.1 and ISO A.8.32.
Dependabot + code scanning cover SOC 2 CC7.1 and ISO A.8.8 / A.8.28.
SSO + SAML enforcement maps to SOC 2 CC6.1 and ISO A.5.16 / A.5.17.
Signed commit enforcement evidences integrity controls in SOC 2 PI1.4.
GitHub posture, control-grade
Ship configuration. Inherit evidence. See branch protection, scanning, and SSO map to your control library in real time.