You can also query the Drata Public API (specifically the /v1/managed-accounts/version-control endpoint) to confirm which repositories a user has administrative or merge access to.

If a user is identified as having merge access and this is authorized for their role, you must navigate to the 'Version Control' page (under Connections) and switch the 'Merge to Default' toggle to ON. This tells Drata that the access is expected and prevents the test from failing."

Enforcement status: Set the ruleset to Active. Rulesets in "Evaluate" or "Disabled" mode will not satisfy the test.

Target branch: Define the target as the Default Branch (typically main or master).

Update restrictions: Select the Restrict updates check box. This setting ensures that only authorized changes can be made to the branch, which is the specific telemetry Drata's sync process identifies.

Legacy protections: Turn off any classic branch protection rules for this repository. This ensures that Drata’s evaluation is based solely on the modern ruleset configuration.

Expected status: Pass ✅

Technical logic: Drata identifies the active ruleset and detects the Restrict updates attribute. Because the default branch is protected against unauthorized modifications, the repository meets the "Production code changes restricted" compliance criteria.

Visibility Note: If your GitHub environment meets these technical requirements but the test continues to fail, contact Drata Support. An internal configuration may be required to enable visibility for modern GitHub rulesets on your account.

Protection type: Use Classic branch protection rules (not rulesets).

Target branch: Apply the rule to the Default branch.

Push restrictions: In the GitHub repository settings, navigate to the Restrict pushes section (labeled as "Restrict who can push to protected branches"). Ensure this is enabled for specific people, teams, or apps.

Bypass access: By default, GitHub administrators and specifically added users can bypass these restrictions. Confirm that the Merge button is enabled for these authorized users.

Create a pull request to the default branch using a standard user account. Confirm that the Merge button is disabled.

Create a pull request using an administrator account. Confirm that the Merge button is enabled.

Remove rulesets: Ensure no active branch rulesets are applied to the repository.

Remove classic protections: Delete or disable all classic branch protection rules for the Default branch.

Access levels: Maintain existing Admin or Write permissions for the relevant users.

Open a pull request targeting the default branch.

Confirm that the Merge button is enabled for all users with write access. This indicates that GitHub is not technically restricting code changes.

Expected status: Pass ✅

Technical logic: When Drata detects that a repository has no branch protections, it identifies all users with merge capabilities. Usually, this would result in a failure. However, because you have manually enabled the Merge to default branch toggle, Drata recognizes these users as "Authorized." The test passes because the access is explicitly documented as expected within the Drata platform.

Ruleset configuration: Create a branch ruleset with the enforcement status set to Active. Ensure the ruleset targets the Default branch and that the Restrict updates check box is selected.

Classic protection configuration: Configure a classic branch protection rule for the same Default branch.

Access levels: Identify users or teams with merge permissions. Users with bypass permissions in GitHub will maintain the ability to merge even with these rules active.

Expected status: Pass ✅

Technical logic: Drata detects that the default branch is protected by both a modern ruleset and classic branch protection. The test passes because the presence of the Restrict updates attribute in the ruleset satisfies the security requirement. Drata recognizes the branch is effectively secured by redundant layers of protection.

Missing update restrictions: You have a GitHub ruleset active, but the Restrict updates check box is unselected. Drata requires this specific setting to verify that code changes are restricted.

Ruleset enforcement status: The ruleset is set to Evaluate or Disabled mode. Only rulesets with an Active status provide the enforcement telemetry needed to pass the test.

Incorrect branch targeting: The ruleset or classic branch protection rule targets a non-production branch (such as develop or feature/*) instead of the Default branch.

Missing classic protections: No classic branch protection rules are active, and no modern rulesets have been configured to take their place.

Unauthorized bypass access: Users or administrators have "Bypass" or "Push" access in GitHub’s classic branch protection settings, but their Merge to default branch toggle is set to Off in Drata.

Unprotected "Write" access: A repository has no branch protections, and users with Write access, who are elevated to Admin status by Drata for security purposes, have not been toggled to On in the Drata platform.

Stale permissions: A user who was previously authorized in Drata still has merge access in GitHub, but their role has changed and they should no longer have these permissions.

Ruleset visibility settings: Your GitHub Rulesets are configured correctly, but the advanced visibility feature has not been enabled for your Drata account. In this case, Drata cannot "see" the ruleset metadata, resulting in a false failure.

Delayed synchronization: Changes made in GitHub (such as enabling a ruleset or removing a user) have not yet synced with Drata. You may need to wait for the next automated sync or trigger a manual refresh to update the test results.