GitHub review settings altered to skip review after PR push

github-telemetry

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

This detection alerts when one of the following GitHub branch protection settings were disabled on a repository:

  • Dismiss stale pull request approvals when new commits are pushed.
  • Require approval of the most recent reviewable push.

Strategy

These protections ensure that a second GitHub review is needed on a pull request if a commit gets added after the first approval. By disabling one of these settings, an actor is now able to merge code without any peer-review on a PR that was previously approved - the new code wouldn’t get reviewed, allowing an attacker to introduce a backdoor or malicious code.

Triage and response

  1. Reach out to the user {{@github.actor}} ({{@external_identity_nameid}} ) and confirm the activity is recognized.
  2. If the activity is suspicious:
    • Block the user in GitHub to prevent further access.
    • Begin your organization’s incident response process and investigate.