IAM-014 Access to Source Code and Development Assets
Description
Access to source code repositories, build pipelines, deployment tooling, and cryptographic secrets used in development is restricted to authorised personnel. Write and merge access to production branches requires explicit approval. Access is logged and reviewed periodically.
Rationale
Unauthorised modification of source code is a supply chain attack vector. Code repositories and CI/CD pipelines are high-value targets; access must be as tightly controlled as production systems.
Framework Mappings (4)
| CCC-04 | Unauthorized Change Protection | partial |
| IAM-05 | Least Privilege | informative |
| 8.4 | Access to source code | full |
| AC-3 | Access Enforcement | informative |
Evidence (2)
Source code repository and CI/CD platform branch protection and access control settings showing that write and merge access to production branches requires approval and is restricted to authorised roles.
Example: GitHub, GitLab, or Bitbucket branch protection rule export for the main/production branch showing: required reviewers ≥ 1, direct push to main disabled, required status checks enabled, and member access report showing no non-authorised contributors with write access.
Test: Export branch protection settings from the source control platform API (e.g. GitHub GET /repos/{owner}/{repo}/branches/{branch}/protection). Verify: (1) direct push to the production/main branch is disabled, (2) at least one required reviewer is enforced on PRs, (3) the list of users with write or admin access to the repository matches the current approved roster, (4) access log shows no merges without a completed review event.
CI/CD and source control access logs showing who accessed or modified production branch code, build pipelines, and deployment tooling over the past 30 days.
Example: GitHub Audit Log, GitLab Audit Event export, or AWS CodePipeline CloudTrail log for the past 30 days showing push, merge, pipeline trigger, and permission change events with actor identity and timestamp.
Test: Export the source control audit log for the past 30 days. Verify: (1) all merge events to the production branch have a corresponding approved pull request review, (2) no individuals outside the approved access roster performed pushes or pipeline runs, (3) any permission changes (adding a new collaborator) have a matching access request record.
Questions (2)
Is access to source code repositories, build pipelines, and deployment tooling restricted to authorised personnel with write and merge access requiring explicit approval?
Access to production branches should be restricted with branch protection rules. Write or admin access must require explicit approval and be regularly reviewed.
Which controls are enforced on your production or main branch in source control?
Disabling direct push and requiring at least one reviewer are baseline expectations. Locking branch protection to prevent admin override is a strong additional control.