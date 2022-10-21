Have you heard of GitSecOps? No? I envy you. Let me elucidate:

Git • Sec • Ops (n) - A term I made up that sounds like LinkedIn blog spam.

At least, I thought I coined it. Nope, a quick DuckDuckGo search reveals that a whole startup exists for GitSecOps:

Non damno vocamen vero modo quasdam proclivitatum nostri professionis irrideo.

Welp. The point is, hardening Git involves more than you might expect. Apparently it’s complicated enough to support an entire company.

I could keep trying to be amusing but I’m sure my literary “skills” have already deterred enough of you from even making it this far. Let’s just jump right in to my examples of all the ingredients in the perennially messy recipe that is a secure Github repo.

Finding secrets

The naive approach would be to just throw some GitHub dorks at a repo and see what pops up. You’re better off using an automated solution like TruffleHog or Gitleaks that will search the entire commit history and all branches.

Just brew install gitleaks (or whatever package manager you have) and then run gitleaks detect --verbose in the repo you want to scan:

If you also want dorks, apply to Github’s code search beta. They let everyone in, just apply and wait a few days..

Messing around with random regular expression dork ideas is so addictive.

Developers will often do crazy stuff locally before cleaning up and pushing to a remote branch, which is often visible in the git history. I learned to do this when external auditors found our codebase history had live credentials for test accounts on mail providers! They were just for testing, so no real harm, but still! Very educational.

GitSecOps

Where to begin? The paper Harden Git for GitOps reduces it into four basic problems:

Git Users can impersonate each other Malicious user rewrites history Malicious user removes security features Old Git client versions are insecure

However, this ignores platform related issues like how to secure Github Actions, or how to protect members in your organization from phishing. At the end I’ll point to some great, in-depth resources from GitHub itself, but let’s get to the point: things you need to know to harden a repo.

Enforce PGP signing of commits

Git allows users to sign commits with PGP. This solves problem #1 from the GitOps issues we listed earlier. While adding an authentication mechanism to Git is incredible, you should go a step further by enforcing this in your entire repo. If that’s too much, just make it the policy on the repo that commits must be signed.

Abandoning forked libraries

I see this so often. Something is broken or missing in a dependency, so you fork the dependency and add what you need. Unless you are going to maintain the dependency better than the main version, with more attention to security alerts and bugfixes, be wary of this. Set up alerts on the original repo to make sure you learn about any security issues.

Scan dependencies automatically

This is pretty well-known, but enable security alerts for dependencies with Dependabot and set up secret scans if that’s an option for you.

Multi-Factor Authentication

Not just on your account - you can mandate this across your entire organization by following this guide from Github’s docs: Requiring two-factor authentication in your organization. Furthermore, you should also mandate MFA on the Google domain (or whatever you use to administer your domain’s email addresses with) for your organization.

More intense Github official docs security things:

Great options if you have huge piles of money laying around. This one on the other hand is extremely cool and you should read it:

Phew. Have I converted you to my claim that Github repos are complicated to secure? Not yet? You want more of this? Your wish is my command!

Extra goodies

Not really security related, but you can mitigate spam by setting your email address to private. If you do this, Github will anonymize your email address in commits.

Otherwise, people can use this to generate leads for spam. Viz, this gnarly one liner that makes me miss being a sysadmin:

This used to be OSINT gold, but I think Github has begun enabling anonymized email addresses by default. Oh well.

Also, be careful about storing your recovery codes on your local machine. Otherwise, a malware on your machine can pwn your Github account using them!

Also also, Git itself can be vulnerable: https://github.blog/2022-10-18-git-security-vulnerabilities-announced/

So watch out for that! Mitigate it using typical “sysadmin mandates secure versioning” processes you use to keep other systems up to date.

Really, this is just the tip of the iceberg. Maybe this should have been more helpful. All I want to say is that there’s a lot of work involved in hardening Github repos!