GitHub branch protection rules ensure that changes to critical branches, such as the main branch, meet certain criteria before being merged into the codebase.
They’re guardrails to ensure PRs are properly reviewed, tested, and approved before they’re merged into the codebase, reducing the likelihood of introducing bugs or vulnerabilities.
But every once in a while you might have an emergency.
One of those hair-on-fire moments where time is ticking, and you need to make a change pronto. That’s when you need to break glass and bypass those branch protection rules, but doing it correctly is critical for the security of your codebase.
The essential components of a secure break glass workflow is:
One way we see people attempt to set up break glass access is by creating teams with the ability to override branch protection rules. Members of the team still have persistent access, increasing the potential for a compliance violation, unauthorized action, or a mistake.
Automating the process of granting and revoking access to the team is a great way to ensure that access is only granted when necessary and is automatically revoked after a specified period.
To achieve this, you can use the GitHub API to create a script that:
The issue with the Issue/Action-based approach is that it has no approval process and it's up to the user to decide when to open/close the issue. You’re also missing those crucial logging and notification components as well. It's better than nothing, but there’s a better way.
The easiest way to incorporate these attributes is to use a privileged access management solution like Indent.
With Indent, you can:
Getting Indent set-up with GitHub is free and takes just a few minutes.
breakglass-approvers that is excluded in the branch protection rule just created
Indent can also help manage access to your production infrastructure like AWS, GCP, or Azure. Many teams also choose to set up on-call auto approvals with our PagerDuty, Opsgenie, and Incident.io integrations.
Want to see a demo or have a guided onboarding?
Feel free to schedule time that works for you and we're happy to answer any questions you have!