VC policy gap report template¶
Adapt depth to scope (single repo vs org roll-up).
Executive summary¶
3–5 sentences:
- What was scanned (host, scope, branch)
- Overall posture: protected / partial / open
- Top 3 gaps
- Recommended starting point (repo pilot vs org rollout)
Scan metadata¶
| Field | Value |
|---|---|
| Host | |
| Org / project | |
| Repo(s) | |
| Default branch | |
| Policy level preference | repo-first / org-wide |
| Evidence | gh CLI / UI / mixed |
| Run date |
Control matrix¶
| Control | Golden path | Current state | Evidence | Gap | Priority |
|---|---|---|---|---|---|
| Main protected (no direct push) | Ruleset on default branch | P0 | |||
| Block force-push to main | non_fast_forward |
P0 | |||
| Linear history (no merge commits) | required_linear_history |
P0 | |||
| Rebase-only PR merges | squash=off, merge=off, rebase=on (+ optional merge-method rule) | P1 | |||
| Auto-delete head branches | deleteBranchOnMerge=true |
P1 | |||
| Allow update branch on PRs | allow_update_branch=true |
P2 | |||
| Large-file push block | Push ruleset e.g. 3 MB | P1 | |||
| Required CI / status checks | Ruleset or branch policy | P1 | |||
| Local dev hygiene documented | git-hygiene, .gitignore, external binaries |
P2 |
Use ✅ / ⚠️ / ❌ in Gap column where helpful.
Org vs repo recommendation¶
| Approach | Pros | Cons | When to use |
|---|---|---|---|
| Repo-first | Low blast radius; easy pilot | Inconsistent until rolled out | First adoption, one team repo |
| Org-wide | Consistent; one place to audit | Needs org admin; affects all repos | Standard for whole org |
Recommendation for this run: …
Remediation plan (ordered)¶
Phase 1 — Protect main (P0)¶
- [ ] …
Phase 2 — Merge method hygiene (P1)¶
- [ ] …
Phase 3 — Large files (P1)¶
- [ ] …
Phase 4 — Local dev (P2)¶
- [ ] Adopt
git-hygieneskill - [ ] …
Local dev notes¶
Short section for engineers:
- Branch from
origin/main; never commit tomain - Prefer rebase merge; delete branch after merge
- Binaries >N MB → object storage / LFS, not git
- Stale "1 ahead" after squash = ghost branch, not missing work
Appendix¶
- Raw command output
- Screenshot references
- Per-repo summary table (org scans)