Ensure verification of signed commits for new changes before merging

Identifying collaborators through signed commits prevents supply chain attacks

Risk Level: medium
Platform: Github
Spectral Rule ID: GH-HRD011


Enable signed commits.


In the repository setting on GitHub site:

  1. Go to 'Branches'.
  2. Go to 'Branch protection rule'.
  3. Click on 'Require signed commits' (should be marked).

Read more: