Use gitStream for SOC 2 compliance.
gitStream policy-as-code makes it easy to implement workflow automations that help your team remain SOC 2 compliant during the code review process.
Flag Code That's Merged Without Review
Automatically send notifications to your team when code is merged without review.
Configuration Description
Conditions (all must be true):
- A PR is merged without at least one review.
Automation Actions:
- Send a Slack notification to alert your team.
- Apply a red
DCF5-merged-without-reviewlabel. - Post a comment explaining SOC II requirements.
Flag Code That's Merged Without Review
# -*- mode: yaml -*-
manifest:
version: 1.0
on:
- merge
# https://docs.gitstream.cm/automation-actions/#send-slack-message
slack_webhook: {{ env.SLACK_WEBHOOK }}
# Update security_team to match your organization
security_team: 'my-org/app-sec'
automations:
flag_merged_no_review:
if:
- {{ pr.approvals | length == 0 }}
run:
- action: add-label@v1
args:
label: "DCF5-merged-without-review"
color: {{ colors.red }}
- action: send-slack-message@v1
args:
message: "PR #{{ pr.number }} - {{ pr.title }} - was merged without peer reviews. SOC2 requires code reviews for every code change. _SOC2 ref: CC8.1_"
webhook_url: "{{ slack_webhook }}"
- action: add-comment@v1
args:
comment: |
This PR was merged without peer reviews. SOC2 requires code reviews for every code change.
_SOC2 ref: CC8.1_
@{{ security_team }}
colors:
red: 'F6443B'
Additional Resources
gitStream is a workflow automation tool that enables you to use YAML configuration files to optimize your code review process. Add context to PRs, find code experts for reviews, and automate the merge process to maximize developer productivity.