Skip to main content Link Menu Expand (external link) Document Search Copy Copied
DevSecOps Guides

Git Hardening for DevSecOps

Table of contents

  1. Enable GPG signature verification
  2. Set a strong passphrase for GPG key
  3. Use HTTPS instead of SSH for remote repositories
  4. Enable two-factor authentication
  5. Set Git to ignore file mode changes
  6. Configure Git to use a credential helper
  7. Use signed commits
  8. Set Git to automatically prune stale remote-tracking branches
  9. Set Git to always rebase instead of merge when pulling
  10. Use Git’s ignore feature to exclude sensitive files

List of some best practices to harden Git for DevSecOps

Enable GPG signature verification

git config --global commit.gpgsign true

Set a strong passphrase for GPG key

gpg –edit-key and then use the passwd command to set a strong passphrase

Use HTTPS instead of SSH for remote repositories

git config --global url."https://".insteadOf git://

Enable two-factor authentication

Enable it through the Git service provider’s website

Set Git to ignore file mode changes

git config --global core.fileMode false

Configure Git to use a credential helper

git config --global credential.helper <helper> where <helper> is the name of the credential helper (e.g., manager, store)

Use signed commits

git commit -S

or

 git config --global commit.gpgsign true

Set Git to automatically prune stale remote-tracking branches

git config --global fetch.prune true

Set Git to always rebase instead of merge when pulling

git config --global pull.rebase true

Use Git’s ignore feature to exclude sensitive files

Add files or file patterns to the .gitignore file