Git

What is Git?

Git is a distributed version control system designed to track changes in source code during software development. Created by Linus Torvalds in 2005 for developing the Linux kernel, Git has become the most widely used version control system for software development, providing the foundation for modern collaborative development workflows.

Unlike earlier centralized version control systems, Git gives each developer a complete local copy of the entire project history, enabling offline work, faster operations, and decentralized collaboration. Git focuses on data integrity, speed, and support for distributed, non-linear workflows.

Key Git Concepts

Repository (Repo)

A collection of files and their complete revision history. A Git repository includes the entire codebase and its history, stored in the .git directory.

Commit

A snapshot of changes made to the repository at a point in time. Each commit has a unique identifier (hash), contains metadata (author, timestamp, message), and maintains a reference to its parent commit(s).

Branch

A lightweight, movable pointer to a commit, representing an independent line of development. Branches allow developers to work on features or fixes in isolation without affecting the main codebase.

Merge

The process of integrating changes from one branch into another, combining different lines of development.

Remote

A shared Git repository stored on a server, allowing multiple developers to push and pull changes (e.g., repositories on GitHub, GitLab, or Bitbucket).

Clone

Creating a local copy of a remote repository, including all its history.

Push/Pull

Push sends local commits to a remote repository; pull retrieves commits from a remote repository and integrates them into the local branch.

Git in Software Supply Chain Security

Git plays a fundamental role in software supply chain security:

Source Code Integrity

• Commit History: Maintains a verifiable record of all code changes
• Cryptographic Hashing: Uses SHA-1 (and now SHA-256) to ensure data integrity
• Commit Signing: Supports cryptographic signing of commits to verify author identity

Traceability

• Author Attribution: Records who made each change
• Timestamps: Documents when changes occurred
• Commit Messages: Explains why changes were made

Security Controls

• Branch Protection: Prevents unauthorized changes to critical branches
• Code Review: Facilitates peer review through pull/merge requests
• Access Controls: Integrates with authentication and authorization systems

Git Security Best Practices

Commit Signing

Using GPG or SSH keys to cryptographically sign commits, verifying that commits come from trusted contributors.

# Configure Git to sign commits
git config --global user.signingkey YOUR_KEY_ID
git config --global commit.gpgsign true

Branch Protection

Enforcing rules that prevent direct pushes to important branches (like main or production), requiring code reviews before merging.

Sensitive Data Prevention

Using .gitignore files and tools like git-secrets or pre-commit hooks to prevent committing sensitive information:

# Example .gitignore entries
*.pem
*.key
.env
secrets.yaml

Repository Integrity Monitoring

Regularly auditing repositories for unauthorized changes or suspicious activity.

Force Push Restrictions

Disabling force-pushes to shared branches to prevent history rewriting:

# Disable force push to main branch
git config branch.main.denyNonFastForwards true

Git-based Supply Chain Attacks

Commit Spoofing

Attackers falsify commit author information to impersonate trusted contributors, potentially introducing malicious code.

Dependency Confusion

Manipulating Git submodules or references to target incorrect or malicious dependencies.

History Tampering

Using force-push to rewrite repository history, potentially removing security patches or introducing backdoors.

Leaked Secrets

Finding sensitive information (API keys, passwords) accidentally committed to Git repositories.

Git Hosting Platforms

GitHub

Microsoft-owned platform offering repository hosting, pull requests, actions (CI/CD), and collaboration features.

GitLab

Complete DevOps platform providing version control, CI/CD, monitoring, and security features.

Bitbucket

Atlassian's Git solution, integrated with Jira, Confluence, and other Atlassian tools.

Azure DevOps

Microsoft's development platform including Git repositories and DevOps tools.

Self-hosted Options

• Gitea: Lightweight self-hosted Git service
• GitLab Community Edition: Self-hosted version of GitLab
• Gerrit: Code review system built on Git

Advanced Git Security Features

Git Hooks

Scripts that run automatically when specific events occur in a Git repository:

• Pre-commit: Runs before a commit is created, can check for sensitive data
• Pre-receive: Runs on the server before accepting pushed commits, can enforce policy
• Post-receive: Runs after commits are accepted, can trigger CI/CD pipelines

Git-LFS (Large File Storage)

Extension for handling large files, reducing repository bloat and improving performance.

Git Submodules

Links external repositories as dependencies, enabling modular codebases while maintaining version control.

Git Shallow Clones

Clones with limited history, reducing attack surface when full history isn't needed:

# Clone with only 1 commit of history
git clone --depth=1 https://github.com/example/repo.git

Git Best Practices for Development Teams

1. Use Descriptive Commit Messages: Clearly explain changes for better auditability
2. Regular Commits: Make small, focused commits rather than large, sweeping changes
3. Branching Strategy: Adopt a consistent branching model (e.g., Git Flow, GitHub Flow)
4. Code Reviews: Require peer reviews before merging code changes
5. Automated Testing: Integrate testing with Git workflows (pre-commit, CI/CD)
6. Repository Hygiene: Avoid committing compiled binaries, dependencies, or large files
7. Security Scanning: Scan repositories for secrets, vulnerabilities, and compliance issues
8. Documentation: Maintain clear documentation on Git workflows and security policies