Skip to main content

Git Introduction

Git serves as the foundation of modern software development workflows, enabling distributed version control, collaboration, and code review processes that are essential for DevSecOps practices.

Git in DevSecOps Context

Version control is not just about tracking code changes. In DevSecOps, Git repositories become the single source of truth for application code, infrastructure definitions, configuration files, and security policies.

Source Control Security: Protect repositories with branch protection rules, required code reviews, and status checks. Never commit sensitive data like passwords, API keys, or private certificates to version control. Use pre-commit hooks to scan for secrets before they enter the repository.

Branching Strategies: Implement branching strategies that support security reviews and testing. Feature branches enable isolated development, while protected main branches ensure all changes undergo review and automated testing before integration. Consider trunk-based development for faster feedback loops or GitFlow for more structured release management.

Code Review Process: Mandatory code reviews serve as security checkpoints where peers examine code for vulnerabilities, logic errors, and compliance with security standards. Pull requests should include security-focused checklists covering input validation, authentication, authorization, and data handling.

Commit Signing: Use GPG keys to cryptographically sign commits, verifying author identity and ensuring commit integrity. Signed commits prevent impersonation and detect tampering with repository history.

Audit Trails: Git history provides comprehensive audit trails showing who made what changes, when, and why. Detailed commit messages and linked issue tracking create documentation that supports compliance requirements and incident investigations.

Git Workflow Integration

Continuous Integration Triggers: Git webhooks trigger CI/CD pipelines automatically when code is pushed or pull requests are opened. Pipelines run automated tests, security scans, and quality checks before code can be merged.

GitOps Practices: Extend Git workflows to infrastructure and deployment management. Store Kubernetes manifests, Terraform configurations, and Ansible playbooks in Git repositories. Changes to these files trigger automated deployments, ensuring infrastructure matches declared state.

Artifact Traceability: Link build artifacts and container images back to specific Git commits. This traceability enables reproducing any deployment, investigating production issues, and rolling back problematic changes.

Environment Promotion: Use Git branches or repositories to represent different environments. Promote code through development, staging, and production by merging branches or updating references, creating clear promotion paths with review checkpoints.

Security Considerations

Access Control: Implement fine-grained repository access controls using teams and permissions. Limit write access to trusted developers while enabling read access for broader visibility. Require multi-factor authentication for all users with write access.

Secret Scanning: Enable automated secret scanning in repositories to detect accidentally committed credentials, tokens, or keys. Tools like GitHub Secret Scanning, GitLab Secret Detection, and git-secrets prevent sensitive data exposure.

Dependency Management: Store dependency manifests (package.json, requirements.txt, go.mod) in version control. Automated tools scan these files for vulnerable dependencies and create pull requests with security updates.

Repository Backup: Regularly backup repositories to separate locations. Backups protect against data loss from deletions, corruptions, or malicious activity. Test backup restoration procedures to ensure recovery capabilities.