Git Posture Policies
Git Posture policies assess repository, organization, and user configurations that affect source control security and governance. These policies focus on access control, branch protection, review practices, authentication, ownership, and repository hygiene. Proper Git posture reduces the risk of unauthorized changes, account compromise, supply chain attacks, and loss of control over source code.
The article describes the policies in this category, configuration options, and the impact of policy violations. For an overview of policies and policy management, see the Policies article.
Source control policy coverage
Open the accordion to view the list of Git Posture policies supported for each source control.
Policies supported for each source control manager
Bot user is a repo admin
✓
✓
✓
✓
Bot user is an org owner
✓
✓
✓
✓
Branch protection not enforced
✓
✓
✓
✓
Branch protection code review can be ignored by developer
✓
✓
✓
✓
Branch protection code review can be ignored by outside collaborator
✓
✓
✓
✓
Branch protection push restriction can be ignored by developer
✓
✓
✓
✓
Branch protection push restriction can be ignored by outside collaborator
✓
✓
✓
✓
Branch protection allows unsigned commits
✓
✓
✓
✓
CODEOWNERS file missing in repo
✓
✓
—
✓
External user has access to repo
✓
✓
✓
✓
Missing 2FA in organization
✓
✓
✓
✓
Outside collaborator not using 2FA
✓
✓
✓
✓
Protected branch can be deleted by a non-admin
✓
✓
✓
✓
Repo admin with no admin activity
✓
✓
✓
✓
Org owner with no admin activity
✓
✓
✓
✓
Single owner in org
✓
✓
✓
✓
Too many org owners
✓
✓
✓
✓
Too many repo admins
✓
✓
✓
✓
Developer did not write code in repo
✓
✓
✓
✓
Outside collaborator is a repo admin
✓
✓
✓
✓
Outside collaborator is repo maintainer
✓
✓
✓
✓
Outside collaborator with no activity
✓
✓
✓
✓
Unreviewed code change
✓
✓
✓
✓
Veteran developer review required
✓
✓
✓
✓
Security Policy file missing in repo
✓
✓
—
✓
Repo wiki publicly available
✓
✓
—
✓
Personal public repo detected
✓
✓
—
✓
Public repo detected
✓
✓
—
✓
Private personal repo fork detected
✓
✓
—
✓
Private repo forking is enabled
✓
✓
—
✓
Unarchived stale repo
✓
✓
✓
✓
View and manage Git Posture policies
Open each policy to view the business impact and optional settings.
Bot user is a repo admin
Purpose: Detects repositories where a bot account is assigned administrator-level permissions.
Supported source control managers:
GitHub
GitLab
Azure
Bitbucket Cloud
Business impact: Bot accounts are not tied to individual users and compromises may go unnoticed for extended periods. Administrative access allows broad control over repository settings and code. This increases the risk of unauthorized changes, persistent access, and supply chain compromise.
ON/OFF (toggle)
Enable/disable the policy.
ON
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Bot Identification Settings
Strings used to identify bots in your organization. Click to add strings.
Current setting
Ignore if admin activity seen (toggle)
Ignores all bots that have known admin activity. The setting is ignored if Audit Log permissions are not available.
ON
Ignore if a user is admin in multiple repos
This will ignore all bots that are admins of more than the selected number of repos
Current setting
Audit log access
Grant Ox access to your source control platform's audit logs. This enables the detection of admin activity across all repositories. The access is required for Ox to accurately evaluate policies related to administrative functions.
Required
Bot user is an org owner
Purpose: Detects organizations where a bot account is assigned the organization owner role.
Supported Source Control Managers:
GitHub
GitLab
Azure
Bitbucket Cloud
Business impact: Organization owner privileges grant full administrative control across all repositories and settings. A compromised bot account may remain undetected and enable persistent, unrestricted access. This significantly increases the risk of large-scale unauthorized changes and organizational compromise.
ON/OFF (toggle)
Enable/disable the policy.
ON
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Bot Identification Settings
Strings used to identify bots in your organization. Click to add strings.
Current setting
Branch protection allows unsigned commits
Purpose: Detects repositories where branch protection does not require commits to be signed.
Supported Source Control Managers:
GitHub
GitLab
Business impact: Unsigned commits make it easier to spoof commit authorship. Attackers can introduce code that appears to come from trusted developers. This weakens code provenance and increases the risk of unauthorized or malicious changes.
ON/OFF (toggle)
Enable/disable the policy.
ON
Repo Visibility (dropdown)
Determines if this policy applies to public repos, private repos or both.
Current setting
Ignore Business Priority Less Than
Ignore repos with Business Priority less than the number entered.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Branch protection code review can be ignored by developer
Purpose: Detects repositories where branch protection settings allow developers to bypass required code reviews.
Supported Source Control Managers:
GitHub
Business impact: Allowing developers to ignore code review requirements weakens a key security and quality control. Compromised accounts can push unreviewed or malicious changes to protected branches. This increases security risk and may lead to non-compliance with standards such as SOC 2, PCI DSS, and ISO 27001.
ON/OFF (toggle)
Enable/disable the policy.
ON
Repo Visibility (dropdown)
Choose if the policy applies to private, public or all repo types.
Current setting
Ignore Business Priority Less Than
Ignore repos with Business Priority less than the number entered.
Current setting
Choose an Available Fix for a Violation
Pick between the options of available fixes for violation.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Branch protection code review can be ignored by outside collaborator
Purpose: Detects repositories where branch protection settings allow outside collaborators to bypass required code reviews.
Supported Source Control Managers:
GitHub
Business impact: Allowing outside collaborators to bypass code reviews weakens a key safeguard against bugs and malicious changes. A compromised external account can push unreviewed code to protected branches. This increases security risk and may result in non-compliance with standards such as SOC 2, PCI DSS, and ISO 27001.
ON/OFF (toggle)
Enable/disable the policy.
ON
Repo Visibility (dropdown)
Choose if the policy applies to private, public or all repo types.
Current setting
Ignore Business Priority Less Than
Ignore repos with Business Priority less than the number entered.
Current setting
Choose an Available Fix for a Violation
Pick between the options of available fixes for violation.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Branch protection not enforced
Purpose: Detects repositories where branch protection is not configured to require code reviews and restrict direct push events.
Supported Source Control Managers:
GitHub
GitLab
BitBucket Cloud
Business impact: Without enforced branch protection, code changes can bypass review and approval. Compromised accounts may push malicious or insecure code directly to protected branches. This increases security risk and may result in non-compliance with standards such as SOC 2, PCI DSS, and ISO 27001.
ON/OFF (toggle)
Enable/disable the policy.
ON
Repo Visibility (dropdown)
Choose if the policy applies to private, public or all repo types.
Current setting
Ignore Business Priority Less Than
Ignore repos with Business Priority less than the number entered.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Choose developers that can bypass branch code
Type in usernames of restricted developers that can bypass branch code reviews. Click to add.
Current setting
Branch protection push restriction can be ignored by developer
Purpose: Detects repositories where branch protection settings allow developers to bypass push restrictions on protected branches.
Supported Source Control Managers:
GitHub
GitLab
Business impact: Allowing developers to bypass push restrictions weakens enforcement of code review and approval controls. A compromised developer account can push unreviewed or malicious changes directly to protected branches. This increases security risk and may lead to non-compliance.
ON/OFF (toggle)
Enable/disable the policy.
ON
Repo Visibility
Determines if this policy applies to public repos, private repos or both.
Current setting
Ignore Business Priority Less Than
Ignore repos with Business Priority less than the number entered.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Branch protection push restriction can be ignored by outside collaborator
Purpose: Detects repositories where branch protection settings allow outside collaborators to bypass push restrictions on protected branches.
Supported Source Control Managers:
GitHub
GitLab
Business impact: Allowing outside collaborators to bypass push restrictions weakens enforcement of review and approval controls. A compromised external account can push unreviewed or malicious changes to protected branches. This increases security risk and may result in non-compliance with standards such as SOC 2, PCI DSS, and ISO 27001.
ON/OFF (toggle)
Enable/disable the policy.
ON
Repo Visibility
Determines if this policy applies to public repos, private repos or both.
Current setting
Ignore Business Priority Less Than
Ignore repos with Business Priority less than the number entered.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Branch protection allows unsigned commits
Purpose: Detects repositories with no recent activity that remain unarchived.
Supported Source Control Managers:
GitHub
GitLab
Bitbucket Cloud
Business impact: Inactive repositories that remain writable increase the risk of unnoticed changes or misuse. Stale code may be reintroduced into builds or deployments without proper context. Archiving unused repositories reduces the attack surface and clarifies that the code is no longer maintained.
ON/OFF (toggle)
Enable/disable the policy.
ON
Months Since Change
Choose a minimum number of months before a violation could occur
Current setting
Repo Type (dropdown)
Choose if the policy applies to private, public or all repo types.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
CODEOWNERS file missing in repo
Purpose: Detects repositories that do not contain a CODEOWNERS file to define required reviewers.
Supported Source Control Managers:
GitHub
GitLab
Azure
Bitbucket Cloud
Business impact: Without a CODEOWNERS file, pull requests may not receive review from appropriate maintainers. Code changes can be approved by users without relevant expertise. This reduces review quality and weakens branch protection effectiveness.
ON/OFF (toggle)
Enable/disable the policy.
ON
Repo types applied by the policy (dropdown)
Choose if the policy applies to private, public, or all repo types
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Branch Protection (Required Reviews) (checkbox)
Determine if the policy applies only to repos with branch protection turned on
ON
Developer did not write code in repo
Purpose: Detects users with write access to a repository who have not contributed code to it.
Supported Source Control Managers:
GitHub
GitLab
Azure
Bitbucket Cloud
Business impact: Unused write access increases the attack surface for account compromise. A compromised account with write permissions can tamper with code or configurations. Reducing unnecessary access lowers the risk of unauthorized changes.
ON/OFF (toggle)
Enable/disable the policy.
ON
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
External user has access to repo
Purpose: Detects repositories where users outside the organization have ongoing access.
Supported Source Control Managers:
Source Control Managers
GitHub
GitLab
Azure
Bitbucket Cloud
Business impact: External access increases the attack surface for account compromise. A compromised external account can introduce malicious code as part of a supply chain attack. This raises the risk of unauthorized changes and downstream impact on applications that consume the code.
ON/OFF (toggle)
Enable/disable the policy.
OFF
Email Domains (Suffix)
Choose the email domains that should have access to the build systems. Click to add.
Current setting
Repo Type (dropdown)
Choose if the policy applies to private, public or all repo types.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Git Posture repo wiki publicly editable
Purpose: Detects repositories where the wiki is publicly editable by users outside the repository collaborators.
Supported Source Control Managers:
GitHub
Business impact: Publicly editable wikis can be abused to insert malicious links or misleading content. Attackers may direct users to download compromised binaries or artifacts. This increases the risk of malware distribution and supply chain attacks.
ON/OFF (toggle)
Enable/disable the policy.
ON
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
License file missing in repo
Purpose: Detects repositories where users outside the organization have ongoing access.
Supported Source Control Managers:
GitHub
GitLab
Azure
Bitbucket Cloud
Business impact: External access increases the attack surface for account compromise. A compromised external account can introduce malicious code as part of a supply chain attack. This raises the risk of unauthorized changes and downstream impact on applications that consume the code.
ON/OFF (toggle)
Enable/disable the policy.
ON
Repo Visibility (dropdown)
Determines if this policy applies to public repos, private repos or both.
Current setting
License File Name
License File names to search for.
Click to add.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Missing 2FA in organization
Purpose: Detects organizations where two-factor authentication (2FA) is not enforced for user access.
Supported Source Control Managers:
GitHub
GitLab
Azure
Bitbucket Cloud
Business impact: Lack of 2FA increases the likelihood of account compromise through credential theft. Compromised accounts may grant attackers access to repositories and administrative functions. This raises the risk of unauthorized changes and large-scale security incidents.
ON/OFF (toggle)
Enable/disable the policy.
ON
Enforce for (dropdown)
Choose what type of users the policy will apply to: Admin, Member, Admin or Member.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Org owner with no admin activity
Purpose: Detects organization or first-level group owners who retain administrative privileges without recent administrative activity.
Supported Source Control Managers:
GitHub
GitLab
Azure
BitBucket Cloud
Business impact: Inactive owners retain full control over repositories and user management. Accounts belonging to former employees or unused identities increase the risk of unnoticed compromise. Reducing inactive administrative access lowers the attack surface and limits the potential impact of unauthorized actions.
ON/OFF (toggle)
Enable/disable the policy.
ON
Months Since Activity
Choose how many months since the last activity will trigger a violation.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Audit log access
Grant Ox access to your source control platform's audit logs. This enables the detection of admin activity across all repositories. The access is required for Ox to accurately evaluate policies related to administrative functions.
Required
Outside collaborator not using 2FA
Purpose: Detects outside collaborators who have access to repositories without two-factor authentication (2FA) enabled.
Supported Source Control Managers:
GitHub
Business impact: Accounts without 2FA are more likely to be compromised through credential theft. A compromised outside collaborator can provide attackers with access to source code and repository functions. This increases the risk of unauthorized changes and supply chain attacks.
ON/OFF (toggle)
Enable/disable the policy.
ON
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
ON
Outside collaborator is a repo admin
Purpose: Detects repositories where an outside collaborator is assigned administrator-level permissions.
Supported Source Control Managers:
GitHub
GitLab
Business impact: Outside collaborators are not managed as internal users and their status may change without visibility. Administrative access allows full control over repository settings and code. A compromised external account can enable unauthorized changes and persistent access, increasing supply chain risk.
ON/OFF (toggle)
Enable/disable the policy.
ON
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Outside collaborator is a repo maintainer
Purpose: Detects repositories where an outside collaborator is assigned maintainer-level permissions.
Supported Source Control Managers:
GitHub
GitLab
Business impact: Outside collaborators are not governed by internal user controls and their status may change without notice. Maintainer access allows elevated control over repository settings and workflows. A compromised external account can introduce unauthorized changes and increase supply chain risk.
ON/OFF (toggle)
Enable/disable the policy.
ON
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Outside collaborator with no activity
Purpose: Detects outside collaborators who retain access to repositories without recent contribution activity.
Supported Source Control Managers:
GitHub
GitLab
Business impact: Inactive external access increases the risk of unnoticed account compromise. A compromised outside collaborator account can be used to introduce unauthorized changes. Removing unused access reduces the attack surface and limits potential impact.
ON/OFF (toggle)
Enable/disable the policy.
ON
Months Since Activity
Choose how many months since the last activity will trigger a violation.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Personal public repo detected
Purpose: Detects public personal repositories owned by organization members.
Supported Source Control Managers:
GitHub
GitLab
Azure
Bitbucket Cloud
Business impact: Public personal repositories may expose code copied from private organizational repositories. Sensitive logic or proprietary information can become publicly accessible. This increases the risk of data leakage and intellectual property loss.
ON/OFF (toggle)
Enable/disable the policy.
ON
Ignore User Repos Older Than (Months)
Ignores mentioning repos older than X Months.
Current setting
Users to report on
Determines the organization users to report on.
Click to add.
Current setting
Monitor Time for Former Members (Months)
Stops evaluating former members who left the company after the selected months ago.
Current setting
Include Forked Public Repos (checkbox)
If the repo is forked (from another public repo by definition), then it is unlikely to contain proprietary data.
ON
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Private repo fork detected
Purpose: Detects private personal repositories owned by organization members that may contain code copied or forked from organizational repositories.
Supported Source Control Managers:
GitHub
Business impact: Organizational code stored in personal repositories reduces visibility and governance. Sensitive or proprietary code may persist outside approved controls and processes. This increases the risk of data leakage, compliance gaps, and unmanaged code reuse, even without malicious intent.
ON/OFF (toggle)
Enable/disable the policy.
ON
Ignore User Repos Older Than (Months)
Ignores mentioning repos older than X Months.
Current setting
Users to report on
Determines the organization users to report on.
Click to add.
Current setting
Monitor Time for Former Members (Months)
Stops evaluating former members who left the company after the selected months ago
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Private repo forking is enabled
Purpose: Detects organizations or repositories where forking of private repositories is allowed.
Supported Source Control Managers:
GitHub
Business impact: Forking private repositories can duplicate proprietary or confidential code outside organizational control. Forks may persist even after access is revoked, reducing visibility and governance. This increases the risk of data leakage and uncontrolled distribution of sensitive code.
ON/OFF (toggle)
Enable/disable the policy.
ON
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Ignore Business Priority Less Than
Ignore repos with Business Priority less than the number entered.
Current setting
Protected branch can be deleted by a non-admin
Purpose: Detects repositories where protected branches can be deleted by users without administrator privileges.
Supported Source Control Managers:
GitHub
GitLab
Bitbucket Cloud
Business impact: Allowing non-admin users to delete protected branches increases the risk of accidental or malicious deletion. Loss of critical branches can disrupt development, block deployments, and prevent artifact generation. Recovery may be difficult or impossible, leading to operational impact.
ON/OFF (toggle)
Enable/disable the policy.
ON
Repo Visibility (dropdown)
Determines if this policy applies to public repos, private repos or both.
Current setting
Ignore Business Priority Less Than
Ignore repos with Business Priority less than the number entered.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Public repo detected
Purpose: Detects public personal repositories owned by organization members.
Supported Source Control Managers:
GitHub
GitLab
Azure
Bitbucket Cloud
Business impact: Public personal repositories may expose code copied from private organizational repositories. Proprietary logic or sensitive information can become publicly accessible. This increases the risk of data leakage and intellectual property loss.
ON/OFF (toggle)
Enable/disable the policy.
ON
Ignore User Repos Older Than (Months)
Ignores mentioning repos older than X Months.
Current setting
Users to report on
Determines the organization users to report on.
Click to add.
Current setting
Monitor Time for Former Members (Months)
Stops evaluating former members who left the company after the selected months ago
Current setting
Include Forked Public Repos
If the repo is forked (from another public repo by definition), then it is unlikely to contain proprietary data.
ON
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Repo admin with no admin activity
Purpose: Detects repository administrators, excluding organization or group owners, who retain admin access without recent administrative or development activity.
Supported Source Control Managers:
GitHub
GitLab
Azure
Bitbucket Cloud
Business impact: Inactive administrators retain the ability to delete repositories and manage user access. Accounts belonging to former employees or unused identities increase the risk of unnoticed compromise. Reducing inactive admin access lowers the attack surface and limits the potential impact of unauthorized actions.
ON/OFF (toggle)
Enable/disable the policy.
ON
Months Since Activity
Choose how many months since the last activity will trigger a violation.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Security policy file missing in repo
Purpose: Detects repositories that do not contain a security policy file.
Supported Source Control Managers:
GitHub
GitLab
Azure
Bitbucket Cloud
Business impact: Without a security policy, users may not know how to responsibly report vulnerabilities. This can delay disclosure or lead to public exposure of security issues. For public repositories, missing guidance increases the risk of unmanaged vulnerability handling and reputational damage.
ON/OFF (toggle)
Enable/disable the policy.
ON
Repo Visibility (dropdown)
Determines if this policy applies to public repos, private repos or both.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Single owner in org
Purpose: Detects organizations or groups that have only one owner account.
Supported Source Control Managers:
GitHub
GitLab
Azure
Bitbucket Cloud
Business impact: A single owner creates a single point of failure for administrative access. If the owner account becomes unavailable or compromised, critical management actions may be blocked. This increases operational risk and weakens the resilience of access controls.
ON/OFF (toggle)
Enable/disable the policy.
ON
Min Users
No issue will be created if the number of users in the org or group is less than or equal to the entered value.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Too many org owners
Purpose: Detects organizations or first-level groups where the number of owners or admins is disproportionately high.
Supported Source Control Managers:
GitHub
GitLab
Azure
Bitbucket Cloud
Business impact: Each owner or admin has broad authority over repositories and access controls. A larger set of privileged accounts increases the attack surface and impact of compromise. Reducing the number of owners improves security and limits potential damage from unauthorized actions.
ON/OFF (toggle)
Enable/disable the policy.
ON
Max Admins
Issue will be created if the number of admins is bigger than the entered value.
Current setting
Max Admin Percent
Issue will be created if the percentage of admins is bigger than the entered value.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Too many repo admins
Purpose: Detects repositories with an excessive number of users assigned administrator privileges.
Supported Source Control Managers:
GitHub
GitLab
Azure
Bitbucket Cloud
Requires Audit Log Access
Business impact: Each repository admin has full control over settings and access management. A higher number of admin accounts increases the likelihood and impact of account compromise. Reducing admin roles limits the attack surface and potential damage from unauthorized actions.
ON/OFF (toggle)
Enable/disable the policy.
ON
Max Admins
Issue will be created if the number of admins is bigger than the entered value.
Current setting
Max Admin Percent
Issue will be created if the percentage of admins is bigger than the entered value.
Current setting
Ignore Owners
Choose if Org/Group owners who by default are repo admins will be ignored.
ON
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Audit log access
Grant Ox access to your source control platform's audit logs. This enables the detection of admin activity across all repositories. The access is required for Ox to accurately evaluate policies related to administrative functions.
Required
Unarchived stale repo
Purpose: Detects repositories with no recent activity that remain unarchived.
Supported Source Control Managers:
GitHub
GitLab
Bitbucket Cloud
Business impact: Inactive repositories that remain writable increase the risk of unnoticed changes or misuse. Stale code may be reintroduced into builds or deployments without proper context. Archiving unused repositories reduces the attack surface and clarifies that the code is no longer maintained.
ON/OFF (toggle)
Enable/disable the policy.
ON
Months Since Change
Choose a minimum number of months before a violation could occur
Current setting
Repo Type (dropdown)
Choose if the policy applies to private, public or all repo types.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Unreviewed code change
Purpose: Detects code changes that were merged or pushed without meeting the minimum required number of reviews.
Supported Source Control Managers:
GitHub
GitLab
Azure
Bitbucket Cloud
Business impact: Unreviewed changes increase the likelihood of bugs or malicious code reaching production. Lack of review weakens a key control used to detect insecure or unintended changes. This elevates the risk of security incidents and downstream impact.
ON/OFF (toggle)
Enable/disable the policy.
ON
Reviews Required
Please specify the minimum number of reviewers per code push for the policy.
Current setting
Files Changed
Specify the minimum number of files changed for the policy.
Current setting
Ignore Older Code Changes (Months)
Specify the max number of months to find changes to evaluate
Current setting
Ignore File Types
Choose the file types that will not trigger a violation.
Current setting
Ignore Business Priority Less Than
Ignore repos with Business Priority less than the number entered.
Current setting
Ignore Admins & Owners
An admin will not trigger a violation.
Current setting
Dominant Language Percentage Min
A violation will not occur if dominant language percentage is lower than the value entered.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
Veteran developer review required
Purpose: Detects code changes made by infrequent contributors that are not reviewed by a designated veteran developer.
Supported Source Control Managers:
GitHub
GitLab
Azure
Bitbucket Cloud
Business impact: Infrequent contributors are more likely to introduce bugs or security vulnerabilities. Without review by an experienced maintainer, risky changes may reach production unnoticed. This increases the likelihood of security issues and unstable code entering critical branches.
ON/OFF (toggle)
Enable/disable the policy.
ON
Infrequent Developer (Max Code Changes)
Please specify the number of pushes or pull requests that define an infrequent developer (less than).
Current setting
Veteran Reviewer (Min Reviews)
Specify the number of reviews that define a veteran reviewer (greater than or equal to).
Current setting
Veteran Reviewer (Min Code Pushes)
Specify the number of pushes that define a veteran reviewer (greater than or equal to).
Current setting
Always a Veteran Reviewr
Users by name who will always be considered as veteran reviewers in the system. Click to add.
Current setting
Ignore Older Code Changes (Months)
Specify the max number of months to find changes to evaluate
Current setting
Ignore Business Priority Less Than
Ignore repos with Business Priority less than the number entered.
Current setting
Ignore File Types
Click to add.
Current setting
Ignore Admins & Owners
An admin will not trigger a violation.
Current setting
Ignore Application Business Priority for severity calculation (checkbox)
When enabled, severity is not adjusted based on application priority.
OFF
View policy issues
Open the Active Issues page.
Use the Category filter and select the policy category to view related active issues.
Use the Policy filter to narrow the list to a specific policy.
Apply the Category and Policy filters separately or together, depending on how specific you want the results to be.
Use the search box to refine results, such as filtering by file name, keyword, or rule identifier.
Create or save policy profiles
When you change a policy’s severity, ON/OFF toggle or any other setting, you must save the current profile or create a new one.
To save the current profile, click SAVE in the page header.
To create a new profile, click SAVE AS in the page header. For instructions, see the section Create or edit policy profiles in the Policies article.
Last updated