policy name: no_signed_commits
severity: LOW
Require all commits to be signed and verified
A commit containing malicious code may be crafted by a malicious actor that has acquired write access to the repository to initiate a supply chain attack. Commit signing provides another layer of defense that can prevent this type of compromise.
- Make sure you have owner permissions
- Go to the projects's settings -> Repository page
- Enter "Push Rules" tab. Set the "Reject unsigned commits" checkbox