Scenario

As a DevSecOps policy leader using a Git-based repository, I would like to be notified and allowed to reject attempts to merge a change to any Liquibase configuration file, such as metadata.properties files.

Background

The metadata.properties file is used to specify Liquibase Enterprise behavior during packaging. Developer sometimes attempt to change the metadata.properties files in the SQL repository, potentially causing errors or bypassing established organizational guardrails.

Steps

To prevent changes to specific files in a Git-based repository such as GitHub, GitLab, or Bitbucket, configure the following:

Create a CODEOWNERS file

Create a new file called CODEOWNERS in the .github/, root, or docs/ directory of the repository, in the branch where you'd like to add the code owners. If CODEOWNERS files exist in more than one of those locations, GitHub will search for them in that order and use the first one it finds.  The most secure method is to define a CODEOWNERS file in the .github directory of the repository and define the repository owner as the owner of either the CODEOWNERS file or the whole .github directory.

Specify protected files in the CODEOWNERS file

Define the file pattern to protect both the CODEOWNERS file itself along with any metadata.properties file anywhere in the repository:

/CODEOWNERS                 @owner_username1  @owner_username2
**/metadata.properties      @owner_username1  @owner_username2

Configure Branch Protection

Branch protection should be configured to require a pull request approval when a code owner is specified in CODEOWNERS. Details for each SCM platform are below:

BitBucket

• Using branch permissions

• Automatically assign code owners as pull request reviewers

GitHub

• Managing a branch protection rule

• About code owners

GitLab

• Merge request approval rules

• Code Owners