Suggestion: Branch Protection & Code Review Process

[matthewford]

Hi Polar team,

First off, I wanted to say that Polar is a great project! We're an agency that have implemented a number of payment gateways for clients, and we're excited about potentially testing Polar as a merchant of record solution. The open-source approach and what you're building is great to see.

I noticed while reviewing the repository that some commits are being pushed directly to the main branch and deployed to production without going through a code review.

With the recent surge in supply chain attacks and increased scrutiny on security practices in the payments/fintech space, implementing branch protection rules and mandatory code reviews would significantly strengthen your security posture. This is especially important for a billing platform handling sensitive financial data.

Additionally, if SOC 2 compliance is on your roadmap (which many enterprise customers will expect), auditors will flag direct production pushes as a control deficiency. It's much easier to implement these practices early than to retrofit them later.

Quick wins:

• Enable branch protection on main requiring at least one review
• Set up CI/CD checks that must pass before merging

[frankie567]

Hi @matthewford 👋

Thank you for your feedback. I can confirm we already have branch protection rules and required CI checks to allow a PR to be merged:

---

Admittedly, PR from the internal team doesn't get systematically reviewed. This is our current process right now that allows us to move fast.

[matthewford]

I would increase the required reviews to 1 - as this will mean you can still move fast but have a second pair of eyes should one account be compromised. And if you are aiming for soc2/iso27001 compliance you will need to implement a code review policy for the internal team too.

[frankie567]

I'll suggest it to the team.

For the record, our GitHub Organization policy requires 2FA to be enabled for every members, so risk of account takeover should be pretty mitigated.

[matthewford]

Whilst MFA is good practice, recent attacks are bypassing most email filters. It also won't help if your machine is compromised and you are authenticated, or someone with commit access is compromised.