CI/CD

Git Security Basics in CI/CD

Learn the security risks and protections for Git operations in CI/CD pipelines, including credential management, branch protection, signature verification, and auditing.

Who This Is For
  • Developers using Git in CI/CD pipelines
  • Readers who want to understand Git operation boundaries in automation
Prerequisites
  • Basic understanding of branch, commit, and push
  • Basic CI/CD concepts
Common Risks
  • Misusing GITHUB_TOKEN causing security issues
  • Not understanding the trade-off between shallow and partial clone

Overview

Git operations in CI/CD pipelines face different security risks than local development: automated execution, credential injection, and third-party dependencies all introduce new attack surfaces.

Core Risks

RiskDescriptionImpact
Credential leakToken or key written to logsMalicious push to repo
Branch injectionAttackers modify CI config via PRPipeline executes malicious code
Dependency confusionThird-party Action/Plugin steals dataCredentials stolen
History tamperingForce push overwrites shared historyCode loss or injection

Credential Management

GitHub Actions

# Use Secrets, never hardcode
jobs:
  deploy:
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Deploy
        env:
          DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
        run: ./deploy.sh

GitLab CI

# Use CI/CD Variables
deploy:
  script:
    - echo "$DEPLOY_KEY" | base64 -d > deploy_key
    - chmod 600 deploy_key
    - ssh -i deploy_key user@server "deploy"

Principle of Least Privilege

  • Use dedicated credentials per pipeline
  • Scope credentials to the smallest set of repos
  • Rotate credentials regularly
  • Never output credentials to logs

Branch Protection

Prevent Direct Push to Main

# GitHub branch protection rules
# - Require PR before merging
# - Require status checks to pass
# - Require signed commits

Restrict CI Triggers

# GitHub Actions - only trusted PRs
on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

Signature Verification

# Verify commit signatures in CI
jobs:
  verify:
    steps:
      - uses: actions/checkout@v4
      - name: Verify commits
        run: |
          git log --show-signature -1

Audit Trail

  • Enable Git operation audit logs (supported by GitHub/GitLab)
  • Log all Git operations triggered by CI
  • Review CI config modification permissions regularly

Continue Learning

  1. ci-cd/jenkins-integration — Jenkins Git integration
  2. security/ssh-key-management — SSH key management
  3. security/credential-helper — Git credential helpers

Related Reads

CommandsRecommended
Git Credential Helper Setup
CommandsExtended
SSH Key Management & Git Authentication
CommandsRecommended
Jenkins Git Integration

Previous / Next

PreviousJenkins Git IntegrationCommands
NextNo more reads in this direction