Adherence check - Code safeguards enabled

Problem to solve

In the field of DevOps Metrics, the "DORA Four" metrics are increasingly popular. In the field of compliance, the "SOC2 Starting Seven" metrics is a similar new idea.

Proposal

Using the following "Starting Seven" criteria we can add SOC2 adherence to the compliance adherence report:

1. Code safeguards enabled.
   1. Deployed branch is a protected branch.
   2. Deployed branch only changed via Merge Requests.
   3. Merge Requests must be approved by a non-author before merge.
   4. Deployment is automated.

Implementation Plan

Copied from the comment below.

1. Create an assumption that the project's default branch is the deployed branch.
2. Using the above validation we can evaluate the above checks as follows:
   1. Deployed branch is a protected branch: Check if the default branch is protected or not.
   2. Deployed branch only changed via Merge Requests: Check if the default branch is protected against pushes.
   3. Merge Requests must be approved by a non-author before merge: combination of "Prevent authors as approvers" AND "Prevent committers as approvers" AND "At least two approvals" (Probably this can be changed to 'at least one approval' in this case).
   4. Deployment is automated: Drop this check as we do not have a direct way to infer this.