Documentation Index
Fetch the complete documentation index at: https://specterops-enable-tls-feedback.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Represents a branch protection rule configured on a GitHub repository. Protection rules define requirements that must be met before changes can be merged to matching branches, such as required reviews, status checks, and restrictions on who can push.
A single protection rule can apply to multiple branches via pattern matching (e.g., main, release/*).
Edges
The tables below list edges defined by the GitHub extension only. Additional edges to or from this node may be created by other extensions.
Inbound Edges
| Edge Type | Source Node Types | Traversable |
|---|---|---|
| GH_BypassPullRequestAllowances | GH_User, GH_Team | ❌ |
| GH_RestrictionsCanPush | GH_User, GH_Team | ❌ |
Outbound Edges
| Edge Type | Destination Node Types | Traversable |
|---|---|---|
| GH_ProtectedBy | GH_Branch | ❌ |
Properties
| Property Name | Data Type | Description |
|---|---|---|
| objectid | string | The GitHub node ID of the branch protection rule: BPR_kwDOMuFnXM4DPZQt |
| name | string | Display name (e.g., repo\main). |
| id | string | Same as objectid. |
| environment_name | string | The GitHub organization login name. |
| environmentid | string | The GitHub organization node ID. |
| pattern | string | The branch name pattern this rule applies to (e.g., main, release/*). |
| enforce_admins | boolean | Whether branch protection rules are enforced for administrators. |
| lock_branch | boolean | Whether the branch is locked (read-only). |
| blocks_creations | boolean | Whether creating branches matching this pattern is restricted. Only effective when push_restrictions is also true; silently reverts to false otherwise. |
| required_pull_request_reviews | boolean | Whether pull request reviews are required before merging. |
| required_approving_review_count | integer | The number of approving reviews required. |
| require_code_owner_reviews | boolean | Whether reviews from code owners are required. |
| require_last_push_approval | boolean | Whether the last push must be approved by someone other than the pusher. |
| push_restrictions | boolean | Whether push access is restricted to specific users/teams. |
| requires_status_checks | boolean | Whether status checks must pass before merging. |
| requires_strict_status_checks | boolean | Whether branches must be up to date with the base branch before merging. |
| dismisses_stale_reviews | boolean | Whether new commits dismiss previously approved reviews. |
| allows_force_pushes | boolean | Whether force pushes are allowed to matching branches. |
| allows_deletions | boolean | Whether matching branches can be deleted. |
Diagram
Security Considerations
Branch protection rules are critical security controls. Key settings to review:- enforce_admins: Enforces merge-gate controls (PR reviews, lock branch) for admins and users with
bypass_branch_protection. Does not enforce push-gate controls (push_restrictions) for admins or users withpush_protected_branch. - required_pull_request_reviews: Blocks direct pushes to existing protected branches. Bypassed by GH_BypassBranchProtection and GH_BypassPullRequestAllowances (both suppressed by
enforce_admins). - push_restrictions: Restricts who can push. Bypassed by GH_PushProtectedBranch, GH_AdminTo, and GH_RestrictionsCanPush (none suppressed by
enforce_admins). - blocks_creations: Restricts new branch creation when
push_restrictionsis alsotrue. Same bypass vectors aspush_restrictions. Silently reverts tofalseifpush_restrictionsis disabled. - lock_branch: Makes branch read-only. Bypassed by GH_BypassBranchProtection (suppressed by
enforce_admins). - require_code_owner_reviews: If
false, changes to critical paths may not require owner approval. - allows_force_pushes: Controls whether history rewrites are allowed. Does not grant push access — it is not a bypass mechanism.
- allows_deletions: If
true, branches can be deleted (potentially losing code).
Secret Exfiltration Mitigation
The only branch protection configuration that blocks the write-access → workflow → secrets exfiltration attack path ispush_restrictions + blocks_creations on a * pattern rule. However, users with GH_PushProtectedBranch, GH_AdminTo, GH_RestrictionsCanPush, or GH_EditRepoProtections can bypass this control.
For complete analysis, see Mitigating Controls.
Identifying Bypass Actors
Use these edges to identify users and teams with elevated branch permissions:- GH_BypassPullRequestAllowances — can bypass PR requirements on a specific rule (PR reviews only)
- GH_RestrictionsCanPush — can push despite push restrictions on a specific rule
- GH_BypassBranchProtection — repo-wide bypass of merge-gate controls (PR reviews + lock branch)
- GH_PushProtectedBranch — repo-wide bypass of push-gate controls (push restrictions + blocks creations)
- GH_EditRepoProtections — can remove/modify protection rules entirely