Leadline Inc.CM-11: Production Deployment Access Control
Limited access to promote changes to production environment without source code editing capabilities
Control Description
Access to promote changes into the production environment related to the in-scope applications and related databases is limited to appropriate individuals without the ability to edit the source code.
Plain Meaning
Only specific people should be able to deploy changes to production, and these people should not have the ability to modify the source code directly. This separation of duties ensures that those who can deploy to production cannot make unauthorized code changes, and those who can write code cannot deploy to production without proper review and approval.
Branch Protection Rules
- Go to your repository’s settings.
- Under “Branches,” add a protection rule for your production branch (e.g.,
mainor prod). - Enable “Restrict who can push to matching branches.”
- Select only the specific GitHub user or team allowed to push.
Audit and Monitor
- Use GitHub’s audit logs to track who pushes to production.
- Regularly review permissions and access.
Related Links
CM-09: Weekly Security Change Review Meetings
Weekly meetings to review security-related changes to in-scope applications and databases
CM-12: Management Approval for Production Changes
Management approval required for all changes to production environment including application, database, infrastructure, and configuration