Git is a distributed version control system that empowers developers with version control features and local repositories. In most production settings, Git is paired with a hosted service for distributed access with minimal repository configuration requirements. However, using a hosted server for source control can introduce new attack vectors in source control management (SCM). This article provides suggestions for security concerns around Git use.
What is Git?
Git is the preeminent source control management tool used by software development professionals to manage production code for a variety of apps. Git repositories track historic data for a set of files and can be set up with continuous integration and continuous deployment (CI/CD) workflows for high availability applications.
While you can run your own Git server, many developers opt for a third-party service to manage functionality for a distributed Git server. Hosted services include GitHub, GitLab, BitBucket, and Azure Repos with Azure DevOps. Open-source alternatives like Gitea and SourceForge require manual configuration, which may not be desirable to some developers.
With a Git repository, files are committed to the server. If connected to a hosted service, the files are typically submitted through a pull request (PR) or a merge request (MR) for code review, though the exact terminology depends on the service. For example, GitHub uses PRs, whereas GitLab uses MRs. As part of your version control process, you might include linting requirements for commits to enforce a style guide on any source code.
If you use a third-party server to host your code repository, you can choose whether the repo is public or private. Many organizations opt to maintain private repositories for production code to protect the company's intellectual property and proprietary software. Private repositories also add a layer of security if there are passwords or personally identifiable information (PII) inadvertently embedded in the source code. However, some organizations do their work in public repos, which empowers the developer community to provide feedback through bug tracking issues or open-source contributions. It is beneficial to add a security policy to any repository and especially for public repositories.
Git security issues
If your production code is hosted in a third-party repository server, you should take care to control access and set security policies. If an attacker gains access to your organization's source code, they can accomplish any number of nefarious actions like data exfiltration, configuration file changes, malicious code insertion, malware uploads, and more. If the attacker has achieved privilege escalation, they could potentially delete the repository or perform arbitrary code execution in your application.
Requiring user security permissions ensures that your repos are only accessible by authorized users, whether your organization uses GitHub repositories or another hosted service. Your third-party service may offer security features for access control and encryption. However, Git stores plain text data, so it is critical to check your code and its metadata for any credentials that should not be exposed.
In order to store that code in a cloud-based repository, you have to be able to communicate from your local
[.rt-script]git[.rt-script] server to the third-party service. To achieve this communication, you must provide a path between the services, which is typically accomplished by opening a dedicated port. The Git protocol uses port
[.rt-script]9418[.rt-script], which does not offer any authentication or cryptography. This port is often closed in corporate environments due to the lack of security measures. Instead, you might use the SSH port
[.rt-script]22[.rt-script] for encrypted and authenticated data transfer.
How to secure Git use
By requiring authentication for user-based permissions, you can ensure that only authorized users can access your repositories. Most third-party services offer SSH authentication and multi-factor authentication (MFA) for added security measures. Private repositories will also limit access to your code storage and version control.
Other methods to secure Git in your development process include the following:
- Don't commit PII, passwords, API keys, or other sensitive data.
[.rt-script].gitignore[.rt-script]to exempt files from commits (especially if your work encompasses frequent file changes and you
[.rt-script]git commit .[.rt-script]recursively).
- Require MFA or two-factor authentication for access to hosted services.
- Use an SSH key to connect to GitHub.
- Implement access control for all repositories.
- Require all PRs be signed with a cryptographic GPG key (no unsigned commits).
- Use caution when cloning public repos or using open-source software dependencies.
- Sync an audit log service to a notification channel so your team remains aware of security alerts for your repositories.
- Set up linting automation your submissions to avoid commits with sensitive information like user credentials.
Each of these suggestions protects your git repos against security risks that could be manipulated by hackers and malicious actors.
How UpGuard can help
UpGuard’s data leak detection capabilities discover sensitive data exposed in public GitHub repositories and other publicly-available online file storage solutions, and UpGuard BreachSight scans for the open Git port:
- 'git' port open
This finding identifies that the Git service is exposed to the internet. Check your configuration settings to ensure that you have closed port
[.rt-script]9418[.rt-script] and require Git use over a more secure avenue.
UpGuard also identifies public use of GitLab and potential security vulnerabilities in outdated versions of Gitbook. UpGuard also maintains a vulnerability library for cybersecurity CVEs (Common Vulnerabilities and Exposures) and monitors organizations for data breaches.
Current UpGuard users with the BreachSight feature can log in and access their Risk Profile to search for this Git-based risk among their assets. If you're not a current UpGuard user and you want to run an automated scan of your assets with BreachSight, sign up for a trial.