DevOps
Git Security Basics in CI/CD
Learn the security risks and protections for Git operations in CI/CD pipelines, including credential management, branch protection, signature verification, and auditing.
- Developers using Git in CI/CD pipelines and IDE integrations
- Readers who want to understand Git operation boundaries in automation
- Basic understanding of branch, commit, and push
- Basic CI/CD concepts
- Misusing GITHUB_TOKEN causing security issues
- Not understanding the trade-off between shallow and partial clone
- Relying on IDE operations without understanding underlying Git behavior
What you will learn
- Understand the core purpose of Git Security Basics in CI/CD
- Master the basic usage and common options of Git Security Basics in CI/CD
- Learn the security risks and protections for Git operations in CI/CD pipelines, including credential management, branch protection, signature verification, and auditing.
- Understand key concepts: Overview
- Know when to use this feature and when to avoid it
Start with a problem
Your team is adopting CI/CD pipelines, or you're configuring Git integration in your IDE — but you're unsure how Git behaves differently in automated environments compared to local manual operations.
Overview
Git operations in CI/CD pipelines face different security risks than local development: automated execution, credential injection, and third-party dependencies all introduce new attack surfaces.
Core Risks
| Risk | Description | Impact |
|---|---|---|
| Credential leak | Token or key written to logs | Malicious push to repo |
| Branch injection | Attackers modify CI config via PR | Pipeline executes malicious code |
| Dependency confusion | Third-party Action/Plugin steals data | Credentials stolen |
| History tampering | Force push overwrites shared history | Code loss or injection |
Credential Management
GitHub Actions
# Use Secrets, never hardcode
jobs:
deploy:
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Deploy
env:
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
run: ./deploy.sh
GitLab CI
# Use CI/CD Variables
deploy:
script:
- echo "$DEPLOY_KEY" | base64 -d > deploy_key
- chmod 600 deploy_key
- ssh -i deploy_key user@server "deploy"
Principle of Least Privilege
- Use dedicated credentials per pipeline
- Scope credentials to the smallest set of repos
- Rotate credentials regularly
- Never output credentials to logs
Branch Protection
Prevent Direct Push to Main
# GitHub branch protection rules
# - Require PR before merging
# - Require status checks to pass
# - Require signed commits
Restrict CI Triggers
# GitHub Actions - only trusted PRs
on:
pull_request:
branches: [main]
push:
branches: [main]
Signature Verification
# Verify commit signatures in CI
jobs:
verify:
steps:
- uses: actions/checkout@v4
- name: Verify commits
run: |
git log --show-signature -1
Audit Trail
- Enable Git operation audit logs (supported by GitHub/GitLab)
- Log all Git operations triggered by CI
- Review CI config modification permissions regularly
Try it yourself
- Practice the ci-security-basics command in a test repository and observe state changes before and after
- Experiment with different options and compare the output differences
- Simulate a real scenario where you would need to use this, and walk through the full process
Continue Learning
ci-cd/jenkins-integration— Jenkins Git integrationsecurity/ssh-key-management— SSH key managementsecurity/credential-helper— Git credential helpers