Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-30241

Implement source code controls for Business Continuity

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • ACM 2.17.0
    • Business Continuity
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • SF Train-37
    • None

       

      Summary

      Per Red Hat Global Engineering directive (effective immediately), we need to implement source code controls for all Business Continuity component repositories to address IBM internal audit findings. These controls must be completed by March 31, 2026.

      Background

      An IBM internal audit identified areas where Red Hat could strengthen code management practices. Two key controls are required:

      1. Segregation of duties (branch protection rules) - Without required pull request reviews, accidental or unapproved changes could be merged into critical code, causing instability, vulnerabilities, or disruptions.
      2. Two-factor authentication (2FA) - If credentials are compromised without 2FA, attackers could gain repository access leading to code tampering, data leakage, or malicious code insertion.

      Required Actions

      1. Branch Protection Rules

      • [ ] Enable branch protection on release-intended branches (main/master)
      • [ ] Require at least one peer review before merging
      • [ ] Disallow self-approval of pull requests
      • [ ] Disallow forced pushes on protected branches

      2. Two-Factor Authentication (2FA)

      • [ ] Enable "Require 2FA for all members" in source code repo settings
      • [ ] Apply at orgs/project/branches level as applicable for complete coverage

      Applicability

      These requirements apply to all public and private repositories associated with Red Hat products, services, or projects that are:

      • Owned, licensed, registered, or maintained by Red Hat
      • Whose outputs are used by customers (directly or indirectly)

      Exemptions: Personal, single-maintainer projects with no customer-used outputs are exempt.

      Deadline

      March 31, 2026

      Resources

      • Slack: #internal_technology_audit_ge
      • Email: internal-tech-audit-ge@redhat.com

      Acceptance Criteria

      • [ ] All Business Continuity repositories have branch protection enabled on main/master
      • [ ] Pull requests require at least 1 reviewer approval
      • [ ] Self-approval is disabled
      • [ ] Force pushes are disabled on protected branches
      • [ ] 2FA is required for all repository members
      • [ ] Compliance verified and documented

              saharebrahimi Sahar Ebrahimi
              saharebrahimi Sahar Ebrahimi
              Thuy Nguyen Thuy Nguyen
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: