Like with any other digital asset, Git repositories should be secure from unauthorized access; ensuring that only authorized users can view, download, and contribute. While that may sound like a blinding flash of the obvious, here are some points you may want to consider:
-
Hiding code from the view of hackers: If your Git repository contains proprietary (i.e. “closed-source”) software, then hackers who gain access to this repository could threaten to leak the code, holding you ransom for financial gain. Locking down your git repository ensures that only authorized internal users can access it.
-
Keeping code free of exploits: Owners of open-source Git repositories must carefully monitor the pull requests they receive to ensure the code stays free of bugs and exploits. New additions to the code base may intentionally or unintentionally introduce vulnerabilities or backdoors that allow hackers to exploit the software.
-
Preventing exposure of sensitive data: It’s a best practice not to commit highly confidential data, such as passwords and personally identifiable information (PII), to your Git repository. However, even the most privacy-conscious developers may accidentally push files containing SSH keys, database access keys, and server certificate keys to the git repository. If you have sensitive data stored somewhere in your git repository, securing this repository ensures that malicious actors won’t find it before you do.
What you can do to secure your repo
A little precaution and care goes a long, long way.
-
Lock down access: Use strong passwords and two-factor authentication for all user accounts. Regularly review the repository’s permissions to ensure that users do not have privileges they don’t need. Change SSH keys regularly.
-
Use the .gitignore file: To prevent accidental leakage of sensitive data, make sure to use the .gitignore file. This plain text file contains the names of files and directories that should be ignored when doing version control (i.e., not uploaded to the repository).
-
Protect code branches: All potential new code additions should be thoroughly scrutinized. Branch protection rules require code to go through status checks or reviews before it can be added to the repository.
-
Define a SECURITY.md file: The SECURITY.md file defines the owner’s security policy for a given repository. This includes information such as a contact email for users to report a security vulnerability.
-
Scan repository contents: Check repositories’ code regularly, scanning for flaws and vulnerabilities. Tools such as SonarQube and Snyk can automatically check for potential code issues.