Today we’ll be taking a deeper look at how you can protect yourself from common security issues with Git, and how to avoid them. We’ll also take a closer look at the most useful security-focused git commands that will help prevent these secrets from being exposed.
So what is Git?
Git is a version control system for tracking changes in computer files and coordinating work on those files among multiple people. It is mostly used for source code control in software development firms, but it can be used to keep track of the things that are being changed in any set of files. As a distributed revision control system it is aimed at speed, data integrity, and support for distributed, non-linear workflows.
What are the most common git security issues?
The most common git security issues that a lot of beginners face when starting out with Git revolve around keeping sensitive information in their repositories private by accident. This could include storing passwords in plain text within your .gitingore file or committing them to the /git directory which you may want to keep hidden from other users, as well as leaving your sensitive data sitting in commits and branches within the remote repository for anyone to see/steal.
The best way to avoid these common git security issues is to make sure you never store plaintext passwords, instead of using a tool such as git-crypt or GPG key encryption. This will allow you to commit sensitive information without committing it directly into your repositories – instead encrypting and decrypting on commit/push and only keeping the encrypted files under version control. But let’s dive deeper into it for a bit.
How to be secure on Git?
Git is essentially a file manager, just like Finder or Explorer. It’s really useful because it lets you easily manage versions of files across devices and work with other people on shared projects. As great as this is, however, it comes at the price that all sensitive data has to pass through this one program whenever it interacts with version control. So what happens if somebody compromises your laptop? If your laptop gets compromised, so does your Git account… That’s why it’s so important to keep your system as secure as possible. In this article, we’ll also take a look at how you can do just that, and review some of the most important Git security practices for keeping everything safe.
Sharing files with others
As humans, we have a tendency towards being lazy. It is human nature to try and find shortcuts or workarounds in order to avoid unnecessary effort whenever possible. Unfortunately, when “living in a bubble” – not thinking about potential problems – bad things happen; like accidentally committing secrets into our repositories… This might be something as simple as logging into GitHub with an API token rather than your user credentials (this is ok on your own computer but definitely not once committed) or checking repositories containing passwords or SSH keys into a public repository. These things should be obvious, so why do developers still do them?
Don’t just rely on Git’s Security
When using development platforms like Gitlab or GitHub, it is incredibly tempting to “trust” their code because you know there are hundreds of thousands of users depending on it. This is why so many people configure continuous integration & delivery pipelines directly within the IDE without giving it a second thought. But this can be disastrous when it comes to Git security because if somebody compromises these services they could easily retrieve any secrets stored in your local repository by just reviewing or tampering with the incoming data!
This might seem like an obvious thing to say, but once an Application gets hacked – no matter how secure that application claims to be – you’re essentially left with two options: Either fix the software (recompile and redeploy it) which means your secrets will remain at risk until you do OR revert back to a clean snapshot and lose the forensics information that might provide clues as to how your system was compromised in the first place.
We also think it’s worth mentioning here that this problem extends far beyond just your local environment… It applies to any systems or services with access to those repositories you’re hosting as well; like continuous integration platforms, backup storage providers, CDNs (Content Delivery Networks), etc. The good news is that most of the common Git security guidelines apply equally to these interconnected systems as they do for your local machine.
After every commit you make, simply add the recipient’s PGP key to your keychain and then when it comes time to push that code into your remote “origin” server, just include their public key in the command.
At this point, git will know how to securely verify the authenticity of all future commits originating from that person/machine. Of course, once somebody has access to your private keys they could also sign new “bogus” commits but you would be able to easily identify them because anyone who doesn’t have access would be unable to sign with it.
Alternatively, if you’d rather not manage multiple sets of keys or worry about transferring them between each other you could use a pre-shared symmetric key.
This essentially means that both of you agree on a single passphrase which you will then concatenate to the end of your message before encrypting it with GPG. You can then send this encrypted bundle back and forth between each other and simply append the latest version every time you need to send a new one.
Git commits can be cryptographically verified using a PGP signature or signed off with a timestamp from an online trusted timestamping service such as one of these:
After verifying any commit sent by somebody else, Git will fail if an attempt was made to modify it so this would be an easy way to automate the process of reporting security issues when they do occur.
Hide any info in your files
Another security precaution you can take is to avoid exposing sensitive information with your .gitconfig file by modifying it so that every option is hidden unless you explicitly choose to expose them. If you want to learn more about this you can check out GitGuardian.
Of course, if somebody was able to gain access to your user account then they could do all of these things themselves, but at least they would need both your username and password first