1.1.4 Ensure previous approvals are dismissed when updates are introduced to a code change proposal
ID |
cis_sscs/previous_approval_dismissed |
Severity |
critical |
Category |
source_code/code_changes |
Levels |
|
Optional |
false |
Tags |
code-reviews, source-code, supply-chain |
Description
Ensure that when a proposed code change is updated, previous approvals are declined, and new approvals are required.
Rationale
An approval process is necessary when code changes are suggested. Through this approval process, however, changes can still be made to the original proposal even after some approvals have already been given. This means malicious code can find its way into the code base even if the organization has enforced a review policy. To ensure this is not possible, outdated approvals must be declined when changes to the suggestion are introduced.
Verification
Ensure that if new code changes are pushed to a specific proposal, all previously accepted code change proposals must be declined.
Remediation
For each code repository in use, enforce an organization-wide policy to dismiss given approvals to code change suggestions if those suggestions were updated.
When using Azure Devops, enforce Require a minimum number of reviewers policy is enabled, and When new changes are pushed option is enabled using one of Reset all approval votes or Reset all code reviewer votes.