Complete Git Security Guide 2024: Secure Repositories & Secret Management

Key Takeaways

Never commit secrets—use secret scanning.
Enable branch protection for critical branches.
Use signed commits for authenticity.

Git hooks can enforce security checks.
Require code review via pull requests.
Regularly audit repository access.

1. Git Security Basics
2. Secret Management
3. Branch Protection
4. Commit Signing

5. Git Hooks
6. Access Control
7. Security Scanning
8. Frequently Asked Questions

1. Git Security Basics

Git repositories often contain not just code but valuable intellectual property, infrastructure configurations, and unfortunately, sometimes secrets. Securing your repositories is critical for protecting your organization's assets and preventing breaches.

Git's distributed nature means security must cover local repositories, remotes (GitHub, GitLab, Bitbucket), and the collaboration workflow between them.

2. Secret Management

2.1 Never Commit Secrets

# Common secrets accidentally committed:
- API keys
- Database passwords
- Private keys
- AWS credentials
- OAuth tokens
- .env files

# Use .gitignore to prevent committing:
.env
*.pem
*.key
secrets.json
credentials.yml

2.2 Secret Scanning Tools

Tool	Type	Use Case
git-secrets	Pre-commit hook	Prevent secret commits
truffleHog	Scanner	Find secrets in history
GitLeaks	Scanner	CI/CD integration
GitHub Secret Scanning	Platform	Automatic detection

Secrets in Git History

Deleting a secret from current code doesn't remove it from Git history. Anyone who clones the repo can find it. You must rewrite history (git filter-branch or BFG Repo-Cleaner) AND rotate the compromised credential immediately.

2.3 Removing Secrets from History

# Using BFG Repo-Cleaner (recommended)
bfg --replace-text passwords.txt repo.git

# Using git filter-repo
git filter-repo --replace-text expressions.txt

# ALWAYS rotate the exposed credential immediately
# History rewriting doesn't prevent access to stale clones

3. Branch Protection

# Recommended branch protection rules (GitHub):
✅ Require pull request reviews (2+ reviewers for main)
✅ Dismiss stale reviews when new commits pushed
✅ Require status checks to pass before merging
✅ Require branches to be up to date
✅ Require signed commits (optional but recommended)
✅ Include administrators in rules
✅ Restrict who can push to matching branches

4. Commit Signing

4.1 GPG Signing Setup

# Generate GPG key
gpg --full-generate-key

# Configure Git to use key
git config --global user.signingkey YOUR_KEY_ID
git config --global commit.gpgsign true

# Sign a commit
git commit -S -m "Signed commit"

# Verify signatures
git log --show-signature

4.2 SSH Signing (Newer)

# Configure SSH signing (Git 2.34+)
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true

5. Git Hooks

5.1 Pre-commit Hook Example

#!/bin/sh
# .git/hooks/pre-commit

# Check for secrets
if git-secrets --scan; then
    echo "No secrets found"
else
    echo "Secrets detected! Commit blocked."
    exit 1
fi

# Run linter
npm run lint || exit 1

# Run tests
npm test || exit 1

5.2 Pre-push Hook

#!/bin/sh
# .git/hooks/pre-push

# Prevent push to main directly
protected_branch='main'
current_branch=$(git symbolic-ref HEAD | sed -e 's,.*/\(.*\),\1,')

if [ "$current_branch" = "$protected_branch" ]; then
    echo "Direct push to $protected_branch blocked. Use pull request."
    exit 1
fi

6. Access Control

Principle of Least Privilege: Minimum necessary access
Regular Audits: Review who has access quarterly
Remove Inactive Users: Offboard promptly
Use Teams/Groups: Manage permissions at group level
Protect Deploy Keys: Limit permissions, rotate regularly

7. Security Scanning

# Integrate in CI/CD pipeline:

# Secret scanning
- name: Run GitLeaks
  uses: gitleaks/gitleaks-action@v2

# Dependency scanning
- name: Run Snyk
  uses: snyk/actions/node@master

# SAST (Static Analysis)
- name: Run Semgrep
  uses: returntocorp/semgrep-action@v1

Shift Left Security

Catch security issues early in development when they're cheapest to fix. Pre-commit hooks, IDE plugins, and CI/CD scanning prevent vulnerabilities from reaching production. The earlier you find issues, the faster and cheaper the fix.

8. Frequently Asked Questions

I committed a secret—what do I do?

1. Rotate the credential IMMEDIATELY. 2. Remove from Git history using BFG or filter-repo. 3. Force push (coordinate with team). 4. Ensure all clones are updated. The rotation is most critical—assume the secret is compromised.

Should all developers sign commits?

Ideally, yes. Signed commits verify authorship and prevent impersonation. Start with enforcing for admins and sensitive repos, then expand. Modern SSH signing makes this easier than traditional GPG signing.

Conclusion

Git security requires attention to secrets, access control, and workflow protection. Never commit secrets, enable branch protection, consider commit signing, and integrate security scanning into CI/CD. Regular access audits and developer training complete the security posture. Treat your repositories as you would any production system.

Continue Learning:
DevSecOps Guide CI/CD Security