Repository denies default branch deletion
repository_default_branch_deletion_disabled
GitHub repository default branch have branch protections or rulesets with Allow deletions disabled.
Risk
Permitting default branch deletion undermines availability by breaking CI/CD, releases, and PR targets.
It also impacts integrity: the canonical ref can be removed, enabling history tampering, branch hijacking, and harder audits/rollbacks.
prowler github --checks repository_default_branch_deletion_disabled
Recommendation
Disable deletions on the default branch using branch protection or rulesets (Allow deletions=false). Apply controls to admins, minimize bypass lists, and enforce least privilege. Combine with required pull requests and status checks for defense in depth.
Remediation
gh api -X DELETE repos/<OWNER>/<REPO>/branches/<DEFAULT_BRANCH>/protection/allow_deletions
- In GitHub, open the repository and go to Settings > Branches
- Edit the branch protection rule for the default branch (or Add rule if none exists)
- Ensure "Allow deletions" is unchecked
- Click Save changes
Source Code
Resource Type
NotDefined
References
- https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule
- https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches
- https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets