Git & other VCS
Is Git Secure by default? Are VCS secure by default? Nope…
Last updated
Was this helpful?
Is Git Secure by default? Are VCS secure by default? Nope…
Last updated
Was this helpful?
Nearly every developer uses Git development at some point or another. It’s the default at most universities. It’s open source and widely available for anyone to use. And there’s a lot that Git is great for, especially if you’re working on a small project. [1]
But, Git has its drawbacks. Especially when it comes to security. [1]
Native Git is not secure. [1]
There are no authentication or verification measures. You can only control Git with server access. And developers can easily rewrite your change history. Since Git is distributed, everyone winds up with a copy of the repository on their laptop. And they can do whatever they want with it. [1]
Here are some best practices to follow when working with Git [1][2][3]:
Always have at least one copy of your repositories you can trust and treat as secure
Protect main/relevant branches (to avoid history modification)
Make sure you DO NOT expose insecure directories (ex. '.git/config')
For Self-Hosted Git Servers: secure your Git server and grant user permissions properly)
Sensitive data: NEVER store credentials as code/config in git
Block sensitive data from being pushed to the repositories by using tools such as or a
Break builds if sensitive data is present
Audit repositories from secrets with tools such as
If Sensitive data reached the repo:
Invalidate tokens and passwords
Remove the info and clear the Git history (checkout , or the standard , and also)
Assess the impact of leaked private info
Tight your control access
Require two factor if available
Do NOT let users share accounts/passwords
Be sure any laptops/devices with access to source code and remote repository are secured
Immediately revoke access from users who are no longer working in the project
Give contributors only access to what they need to do their work
In GitHub or other platforms:
Add a : this should contain a "Disclosure Policy", "Security Update policy", "Security related configuration" and "Known security gaps & future enhancements".
If you have Apps that interact with your repositories:
Give and validate the correct and minimum app access rights
Assess the author/organization credibility
Assess how good is the app's security posture (a breach/vulnerability in the app cloud affect you)
Monitor changes in apps and consider application access restrictions
Add security testing to Pull Requests (see )
Rotate SSH Keys, Personal Access Tokens and other kind of tokens (also passwords)
Create new projects with security in mind
When importing projects, audit the history for sensitive data and remove it before the import
Use SSH key authentication where possible and applicable (SSHv2 preferible)
Use only HTTPS or SSH to access Git repositories
Integrity: enforce checks on all incoming objects by setting transfer.fsckObjects
, fetch.fsckObjects
and receive.fsckObjects
to true in your git config (you can run an integrity check at any type by executing git fsck
)
Enforce usage of .gitignore
files and periodically review them
Other utilities:
For cleaning sensitive data from repositories:
From the section:
TruffleSecurity (): find and verify credentials.
(): a fast, light-weight, portable, and open-source secret scanner for git repositories, files, and directories.
Deepfence : find secrets and passwords in container images and file systems.
TruffleSecurity : a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
: a YARA powered static credential scanner which suports binary file formats, analysis of nested archives, composable rulesets and ignore lists, and SARIF reporting.
: Reconnaissance tool for GitHub code search. Scans for exposed API keys across all of GitHub, not just known repos.
AWS Labs : Prevents you from committing secrets and credentials into git repositories
Yelp : An enterprise friendly way of detecting and preventing secrets in code.
Auth0 : a tool that helps you to detect secrets and passwords in your code.
: secure your software development lifecycle with enterprise-grade secrets detection. Eliminate blind spots with our automated, battle-tested detection engine.
: discover, classify, and remove secrets and keys to protect your organization and maintain compliance.
: monitor, classify, and protect your code, assets, and infrastructure for exposed API keys, tokens, credentials, and high-risk security misconfigurations in a simple way, without noise.
From the section:
: safeguard cryptographic keys and other secrets used by cloud apps and services.
: helps you manage, retrieve, and rotate database credentials, API keys, and other secrets throughout their lifecycles.
: create and control keys used to encrypt or digitally sign your data.
: a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data.
: manage encryption keys on Google Cloud.
: manage access to secrets and protect sensitive data.
: Safely store secrets in a VCS repo (i.e. Git, Mercurial, Subversion or Perforce).
: enable developers with a secure vault for credentials, certificates and keys.
: the uncomplicated way to sync, manage, orchestrate, and rotate secrets across any environment or app config with easy to use tools.
Mozilla (Secrets OPerationS): simple and flexible tool for managing secrets.
(): a productivity secret manager for developers supporting cloud-native apps and multiple cloud providers. Mix and match all vaults and other key stores and safely use secrets as you code, test, and build applications.
(): automatically secures secrets used by privileged users and machine identities.
(): the slightly more awesome standard UNIX password manager for teams.
: a key and secret workflow (validation, invalidation, etc.) tool built in Rust.
: a service for storing and rotation of secrets, keys, and passwords used by other services.
: Encrypt and decrypt files to store them inside a git repository. git-tresor uses AES-256 encryption. Every file or directory has it's own password. This enables you to commit encrypted files either in a separate git repository or inside the same repository where your secret files are needed (f.e. Android-Keystores or Signing-Certificates for Apple).
: encryption/decryption utility for Ansible data files.
: securely manage passwords, certs, and other secrets in Chef.
(⚠️): a very simple, easy to use credential management and distribution system that uses AWS Key Management Service (KMS) for key wrapping and master-key storage, and DynamoDB for credential storage and sharing.
: removes large or troublesome blobs like git-filter-branch does, but faster.
: a versatile tool for rewriting history.
: lets you rewrite Git revision history by rewriting the branches.
[1]:
[2]:
[3]: