GitHub branch protection disabled with force push and admin enforcement bypass
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects branch protection being weakened by enabling force pushes and disabling admin enforcement simultaneously, a combination used by Nord Stream to allow pushing a malicious workflow to a protected branch.
Strategy
This rule monitors GitHub audit events for the concurrent modification of two branch protection settings: enabling force pushes and removing admin enforcement. Together these changes create the permissive conditions Nord Stream requires to push a workflow file without triggering protection rules. The combination of both changes in a short window is anomalous.
Triage and response
- Determine whether
{{@github.actor}} had a legitimate reason to modify branch protection settings on the affected repository. - Identify which branch was modified and check whether any commits or workflow files were pushed to it shortly after the protection change.
- Review whether branch protection settings were subsequently restored, which may indicate an automated cleanup phase following secret extraction.
- Check for related secret enumeration activity from
{{@github.actor}} around the same time.
