GitHub Classic Branch Protection Rule Disabled

This detection identifies instances where classic branch protection rules are disabled within GitHub Organizations. These rules are critical security controls that enforce code review, prevent force pushes, and maintain code quality. The detection monitors GitHub Organizations audit logs for protected_branch.destroy events, tracking actor details, repository information, and associated metadata. An attacker disabling these protections could directly push unauthorized code changes or backdoors to protected branches. This activity is critical for defenders because it bypasses security reviews and can lead to code tampering, introduction of vulnerabilities, or compromise of the software supply chain. The described behavior was observed in 2026-05-04 (date from source).

Attack Chain

1. An attacker gains initial access to a GitHub Organization account with sufficient privileges to modify branch protection rules.
2. The attacker authenticates to the GitHub API or web interface.
3. The attacker navigates to the repository settings to modify branch protection rules.
4. The attacker identifies and targets a specific branch with classic protection rules enabled.
5. The attacker initiates a protected_branch.destroy action to disable the branch protection rules. This action generates an audit log.
6. GitHub Organizations audit logs record the event, including details about the actor, repository, and timestamp.
7. With branch protection disabled, the attacker can directly push unauthorized code changes to the protected branch.
8. The attacker introduces malicious code, backdoors, or vulnerabilities into the codebase, potentially compromising the software supply chain.

Impact

Disabling branch protection rules can lead to significant security breaches. The lack of code review and security controls allows for the introduction of malicious code, potentially leading to compromised builds, supply chain attacks, and data breaches. Successful exploitation can result in reputational damage, financial losses, and legal liabilities.

Recommendation

• Deploy the Sigma rule GitHub Organization Branch Protection Disabled to your SIEM to detect unauthorized disabling of branch protection rules in GitHub Organizations.
• Enable GitHub Organizations audit logs and ingest them using the Splunk Add-on for Github as mentioned in the reference link.
• Investigate any alerts generated by the Sigma rule, focusing on the actor, repository, and timestamp of the event to identify potential malicious activity.
• Monitor user activity for anomalous behavior, such as disabling branch protection rules outside of normal business hours or by unauthorized personnel.