Skip to main content
Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Required Pull Requests

What is a required pull request?

A required pull request is a policy requiring that before code can be merged into a protected branch, it must go through a pull request. This allows for automated checks to be performed before the code is merged.

Why is the VA requiring pull requests?

As part of the VA’s code scanning policy, all repositories must meet two requirements:

  • Code scanning using CodeQL must be enabled for all eligible languages
  • All code scanning alerts must be remediated within 30 days of being identified

To ensure these requirements are met, the VA has developed automation leveraging “Required Workflows” that allows GitHub to perform automated checks on pull requests to ensure that code scanning is enabled and that all code scanning alerts are remediated before the pull request can be merged.

To learn more about the VA’s use of required workflows and how they impact your repository, please see the Required Workflows technical note.

How are required pull requests configured?

The VA’s required pull request policy is configured at the GitHub organization level and is not configurable at the repository level.

Which branches are protected?

The current policy requires that a repositories default branch (usually master or main) in the VA’s GitHub organization be protected. This means that code updates to the default branch in each repository must go through a pull request before changes can be merged.