> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # GH_BranchProtectionRule > A branch protection rule that applies to one or more branches via pattern matching Applies to BloodHound Enterprise and CE Represents a branch protection rule configured on a GitHub repository. Protection rules define requirements that must be met before changes can be merged to matching branches, such as required reviews, status checks, and restrictions on who can push. A single protection rule can apply to multiple branches via pattern matching (e.g., `main`, `release/*`). ## Edges The tables below list edges defined by the GitHub extension only. Additional edges to or from this node may be created by other extensions. ### Inbound Edges | Edge Type | Source Node Types | Traversable | | ---------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ----------- | | [GH\_BypassPullRequestAllowances](/opengraph/extensions/github/edges/gh_bypasspullrequestallowances) | [GH\_User](/opengraph/extensions/github/nodes/gh_user), [GH\_Team](/opengraph/extensions/github/nodes/gh_team) | ❌ | | [GH\_RestrictionsCanPush](/opengraph/extensions/github/edges/gh_restrictionscanpush) | [GH\_User](/opengraph/extensions/github/nodes/gh_user), [GH\_Team](/opengraph/extensions/github/nodes/gh_team) | ❌ | ### Outbound Edges | Edge Type | Destination Node Types | Traversable | | -------------------------------------------------------------------- | ---------------------------------------------------------- | ----------- | | [GH\_ProtectedBy](/opengraph/extensions/github/edges/gh_protectedby) | [GH\_Branch](/opengraph/extensions/github/nodes/gh_branch) | ❌ | ## Properties | Property Name | Data Type | Description | | ---------------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | | objectid | string | The GitHub node ID of the branch protection rule: `BPR_kwDOMuFnXM4DPZQt` | | name | string | Display name (e.g., `repo\main`). | | id | string | Same as objectid. | | environment\_name | string | The GitHub organization login name. | | environmentid | string | The GitHub organization node ID. | | pattern | string | The branch name pattern this rule applies to (e.g., `main`, `release/*`). | | enforce\_admins | boolean | Whether branch protection rules are enforced for administrators. | | lock\_branch | boolean | Whether the branch is locked (read-only). | | blocks\_creations | boolean | Whether creating branches matching this pattern is restricted. Only effective when `push_restrictions` is also `true`; silently reverts to `false` otherwise. | | required\_pull\_request\_reviews | boolean | Whether pull request reviews are required before merging. | | required\_approving\_review\_count | integer | The number of approving reviews required. | | require\_code\_owner\_reviews | boolean | Whether reviews from code owners are required. | | require\_last\_push\_approval | boolean | Whether the last push must be approved by someone other than the pusher. | | push\_restrictions | boolean | Whether push access is restricted to specific users/teams. | | requires\_status\_checks | boolean | Whether status checks must pass before merging. | | requires\_strict\_status\_checks | boolean | Whether branches must be up to date with the base branch before merging. | | dismisses\_stale\_reviews | boolean | Whether new commits dismiss previously approved reviews. | | allows\_force\_pushes | boolean | Whether force pushes are allowed to matching branches. | | allows\_deletions | boolean | Whether matching branches can be deleted. | ## Diagram ```mermaid theme={null} flowchart TD GH_BranchProtectionRule[fa:fa-shield GH_BranchProtectionRule] GH_Branch[fa:fa-code-branch GH_Branch] GH_User[fa:fa-user GH_User] GH_Team[fa:fa-user-group GH_Team] GH_User -.->|GH_BypassPullRequestAllowances| GH_BranchProtectionRule GH_Team -.->|GH_BypassPullRequestAllowances| GH_BranchProtectionRule GH_User -.->|GH_RestrictionsCanPush| GH_BranchProtectionRule GH_Team -.->|GH_RestrictionsCanPush| GH_BranchProtectionRule GH_BranchProtectionRule -.->|GH_ProtectedBy| GH_Branch ``` ## Security Considerations Branch protection rules are critical security controls. Key settings to review: * **enforce\_admins**: Enforces merge-gate controls (PR reviews, lock branch) for admins and users with `bypass_branch_protection`. Does **not** enforce push-gate controls (`push_restrictions`) for admins or users with `push_protected_branch`. * **required\_pull\_request\_reviews**: Blocks direct pushes to existing protected branches. Bypassed by [GH\_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection) and [GH\_BypassPullRequestAllowances](/opengraph/extensions/github/edges/gh_bypasspullrequestallowances) (both suppressed by `enforce_admins`). * **push\_restrictions**: Restricts who can push. Bypassed by [GH\_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch), [GH\_AdminTo](/opengraph/extensions/github/edges/gh_adminto), and [GH\_RestrictionsCanPush](/opengraph/extensions/github/edges/gh_restrictionscanpush) (none suppressed by `enforce_admins`). * **blocks\_creations**: Restricts new branch creation when `push_restrictions` is also `true`. Same bypass vectors as `push_restrictions`. Silently reverts to `false` if `push_restrictions` is disabled. * **lock\_branch**: Makes branch read-only. Bypassed by [GH\_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection) (suppressed by `enforce_admins`). * **require\_code\_owner\_reviews**: If `false`, changes to critical paths may not require owner approval. * **allows\_force\_pushes**: Controls whether history rewrites are allowed. Does **not** grant push access — it is not a bypass mechanism. * **allows\_deletions**: If `true`, branches can be deleted (potentially losing code). ### Secret Exfiltration Mitigation The only branch protection configuration that blocks the write-access → workflow → secrets exfiltration attack path is `push_restrictions` + `blocks_creations` on a `*` pattern rule. However, users with [GH\_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch), [GH\_AdminTo](/opengraph/extensions/github/edges/gh_adminto), [GH\_RestrictionsCanPush](/opengraph/extensions/github/edges/gh_restrictionscanpush), or [GH\_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) can bypass this control. For complete analysis, see [Mitigating Controls](/opengraph/extensions/github/mitigating-controls). ### Identifying Bypass Actors Use these edges to identify users and teams with elevated branch permissions: * [GH\_BypassPullRequestAllowances](/opengraph/extensions/github/edges/gh_bypasspullrequestallowances) — can bypass PR requirements on a specific rule (PR reviews only) * [GH\_RestrictionsCanPush](/opengraph/extensions/github/edges/gh_restrictionscanpush) — can push despite push restrictions on a specific rule * [GH\_BypassBranchProtection](/opengraph/extensions/github/edges/gh_bypassbranchprotection) — repo-wide bypass of merge-gate controls (PR reviews + lock branch) * [GH\_PushProtectedBranch](/opengraph/extensions/github/edges/gh_pushprotectedbranch) — repo-wide bypass of push-gate controls (push restrictions + blocks creations) * [GH\_EditRepoProtections](/opengraph/extensions/github/edges/gh_editrepoprotections) — can remove/modify protection rules entirely