SKILL.md
readonly只读
name
git-security-2025
description
Git security best practices for 2025 including signed commits, zero-trust workflows, secret scanning, and verification
🚨 CRITICAL GUIDELINES
Windows File Path Requirements
MANDATORY: Always Use Backslashes on Windows for File Paths
When using Edit or Write tools on Windows, you MUST use backslashes (\) in file paths, NOT forward slashes (/).
Examples:
- ❌ WRONG:
D:/repos/project/file.tsx - ✅ CORRECT:
D:\repos\project\file.tsx
This applies to:
- Edit tool file_path parameter
- Write tool file_path parameter
- All file operations on Windows systems
Documentation Guidelines
NEVER create new documentation files unless explicitly requested by the user.
- Priority: Update existing README.md files rather than creating new documentation
- Repository cleanliness: Keep repository root clean - only README.md unless user requests otherwise
- Style: Documentation should be concise, direct, and professional - avoid AI-generated tone
- User preference: Only create additional .md files when user specifically asks for documentation
Git Security Best Practices 2025
Zero-Trust Security Model (2025 Standard)
What: Every developer identity must be authenticated and authorized explicitly. All Git operations are logged, signed, and continuously monitored.
Core Principles:
- Never trust, always verify - Every commit verified
- Least privilege access - Minimal permissions required
- Continuous monitoring - All operations logged and audited
- Assume breach - Defense in depth strategies
Implementing Zero-Trust for Git
1. Mandatory Signed Commits:
# Global requirement
git config --global commit.gpgsign true
git config --global tag.gpgsign true
# Enforce via branch protection (GitHub/GitLab/Azure DevOps)
# Repository Settings → Branches → Require signed commits
2. Identity Verification:
# Every commit must verify identity
git log --show-signature -10
# Reject unsigned commits in CI/CD
# .github/workflows/verify.yml
- name: Verify all commits are signed
run: |
git log --pretty="%H" origin/main..HEAD | while read commit; do
if ! git verify-commit "$commit" 2>/dev/null; then
echo "ERROR: Unsigned commit $commit"
exit 1
fi
done
3. Continuous Audit Logging:
# Enable Git audit trail
git config --global alias.audit 'log --all --pretty="%H|%an|%ae|%ad|%s|%GK" --date=iso'
# Export audit log
git audit > git-audit.log
# Monitor for suspicious activity
git log --author="*" --since="24 hours ago" --pretty=format:"%an %ae %s"
4. Least Privilege Access:
# GitHub branch protection (zero-trust model)
branches:
main:
protection_rules:
required_pull_request_reviews: true
dismiss_stale_reviews: true
require_code_owner_reviews: true
required_approving_review_count: 2
require_signed_commits: true
enforce_admins: true
restrictions:
users: [] # No direct push
teams: ["security-team"]
5. Continuous Monitoring:
# Monitor all repository changes
# .github/workflows/security-monitor.yml
name: Security Monitoring
on: [push, pull_request]
jobs:
monitor:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Check for unsigned commits
run: git verify-commit HEAD || echo "::warning::Unsigned commit detected"
- name: Scan for secrets
run: gitleaks detect --exit-code 1
- name: Check commit author
run: |
AUTHOR=$(git log -1 --format='%an <%ae>')
echo "Commit by: $AUTHOR"
# Log to SIEM/security monitoring
Signed Commits (Mandatory in 2025)
Why: Cryptographically verify commit authorship, prevent impersonation, ensure audit trail.
Industry Trend: Signed commits increasingly required in 2025 workflows.
GPG Signing (Traditional)
Setup:
# Generate GPG key
gpg --full-generate-key
# Choose: RSA and RSA, 4096 bits, expires in 2y
# List keys
gpg --list-secret-keys --keyid-format=long
# Example output:
# sec rsa4096/ABC123DEF456 2025-01-15 [SC] [expires: 2027-01-15]
# uid [ultimate] Your Name <your.email@example.com>
# ssb rsa4096/GHI789JKL012 2025-01-15 [E] [expires: 2027-01-15]
# Configure Git
git config --global user.signingkey ABC123DEF456
git config --global commit.gpgsign true
git config --global tag.gpgsign true
# Export public key for GitHub/GitLab
gpg --armor --export ABC123DEF456
# Copy output and add to GitHub/GitLab/Bitbucket
# Sign commits
git commit -S -m "feat: add authentication"
# Verify signatures
git log --show-signature
git verify-commit HEAD
git verify-tag v1.0.0
Troubleshooting:
# GPG agent not running
export GPG_TTY=$(tty)
echo 'export GPG_TTY=$(tty)' >> ~/.bashrc
# Cache passphrase longer
echo 'default-cache-ttl 34560000' >> ~/.gnupg/gpg-agent.conf
echo 'max-cache-ttl 34560000' >> ~/.gnupg/gpg-agent.conf
gpg-connect-agent reloadagent /bye
# Test signing
echo "test" | gpg --clearsign
SSH Signing (Modern Alternative - 2023+)
Why SSH: Simpler, reuse existing SSH keys, no GPG required.
Setup:
# Check if SSH key exists
ls -la ~/.ssh/id_ed25519.pub
# Generate if needed
ssh-keygen -t ed25519 -C "your.email@example.com"
# Configure Git to use SSH signing
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true
# Add public key to GitHub
cat ~/.ssh/id_ed25519.pub
# GitHub Settings → SSH and GPG keys → New SSH key → Key type: Signing Key
# Sign commits (automatic with commit.gpgsign=true)
git commit -m "feat: add feature"
# Verify
git log --show-signature
Configure allowed signers file (for verification):
# Create allowed signers file
echo "your.email@example.com $(cat ~/.ssh/id_ed25519.pub)" > ~/.ssh/allowed_signers
# Configure Git
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
# Verify commits
git verify-commit HEAD
Secret Scanning & Prevention
GitHub Secret Scanning (Push Protection)
Enable in repository:
- Settings → Code security → Secret scanning → Enable
- Enable push protection (blocks secrets at push time)
AI-powered detection (2025):
- AWS credentials
- Azure service principals
- Google Cloud keys
- GitHub tokens
- Database connection strings
- API keys (OpenAI, Stripe, Anthropic, etc.)
- Private keys
- OAuth tokens
- Custom patterns
Example blocked push:
$ git push
remote: error: GH013: Repository rule violations found for refs/heads/main.
remote:
remote: - Push cannot contain secrets
remote:
remote: Resolve the following violations before pushing again
remote:
remote: — AWS Access Key
remote: locations:
remote: - config.py:12
remote:
remote: (Disable push protection: https://github.com/settings/security_analysis)
remote:
To github.com:user/repo.git
! [remote rejected] main -> main (push declined due to repository rule violations)
Fix:
# Remove secret from file
# Use environment variable instead
echo "AWS_ACCESS_KEY=your_key" >> .env
echo ".env" >> .gitignore
# Remove from history if already committed
git rm --cached config.py
git commit -m "Remove secrets"
# If in history, use filter-repo
git filter-repo --path config.py --invert-paths
git push --force
Gitleaks (Local Scanning)
Install:
# macOS
brew install gitleaks
# Linux
wget https://github.com/gitleaks/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz
tar -xzf gitleaks_8.18.0_linux_x64.tar.gz
sudo mv gitleaks /usr/local/bin/
# Windows
choco install gitleaks
Usage:
# Scan entire repository
gitleaks detect
# Scan uncommitted changes
gitleaks protect
# Scan specific directory
gitleaks detect --source ./src
# Generate report
gitleaks detect --report-format json --report-path gitleaks-report.json
# Use in CI/CD
gitleaks detect --exit-code 1
Pre-commit hook:
# .git/hooks/pre-commit
#!/bin/bash
gitleaks protect --staged --verbose
if [ $? -ne 0 ]; then
echo "⚠️ Gitleaks detected secrets. Commit blocked."
exit 1
fi
Git-secrets (AWS-focused)
# Install
brew install git-secrets # macOS
# or
git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
sudo make install
# Initialize in repository
git secrets --install
git secrets --register-aws
# Add custom patterns
git secrets --add 'password\s*=\s*[^\s]+'
git secrets --add 'api[_-]?key\s*=\s*[^\s]+'
# Scan
git secrets --scan
git secrets --scan-history
Enforce Signed Commits
Branch Protection Rules
GitHub:
Repository → Settings → Branches → Branch protection rules
☑ Require signed commits
☑ Require linear history
☑ Require status checks to pass
GitLab:
Repository → Settings → Repository → Protected branches
☑ Allowed to push: No one
☑ Allowed to merge: Maintainers
☑ Require all commits be signed
Azure DevOps:
Branch Policies → Add policy → Require signed commits
Pre-receive Hook (Server-side enforcement)
#!/bin/bash
# .git/hooks/pre-receive (on server)
zero_commit="0000000000000000000000000000000000000000"
while read oldrev newrev refname; do
# Skip branch deletion
if [ "$newrev" = "$zero_commit" ]; then
continue
fi
# Check all commits in push
for commit in $(git rev-list "$oldrev".."$newrev"); do
# Verify commit signature
if ! git verify-commit "$commit" 2>/dev/null; then
echo "Error: Commit $commit is not signed"
echo "All commits must be signed. Configure with:"
echo " git config commit.gpgsign true"
exit 1
fi
done
done
exit 0
Security Configuration
Recommended Git Config
# Enforce signed commits
git config --global commit.gpgsign true
git config --global tag.gpgsign true
# Use SSH signing (modern)
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
# Security settings
git config --global protocol.version 2
git config --global transfer.fsckobjects true
git config --global fetch.fsckobjects true
git config --global receive.fsckobjects true
# Prevent credential leaks
git config --global credential.helper cache --timeout=3600
# Or use system credential manager
git config --global credential.helper wincred # Windows
git config --global credential.helper osxkeychain # macOS
# Line ending safety
git config --global core.autocrlf true # Windows
git config --global core.autocrlf input # macOS/Linux
# Editor safety (avoid nano/vim leaks)
git config --global core.editor "code --wait"
.gitignore Security
# Secrets
.env
.env.*
*.pem
*.key
*.p12
*.pfx
*_rsa
*_dsa
*_ecdsa
*_ed25519
credentials.json
secrets.yaml
config/secrets.yml
# Cloud provider
.aws/
.azure/
.gcloud/
gcloud-service-key.json
# Databases
*.sqlite
*.db
# Logs (may contain sensitive data)
*.log
logs/
# IDE secrets
.vscode/settings.json
.idea/workspace.xml
# Build artifacts (may contain embedded secrets)
dist/
build/
node_modules/
vendor/
Credential Management
SSH Keys
# Generate secure SSH key
ssh-keygen -t ed25519 -C "your.email@example.com" -f ~/.ssh/id_ed25519_work
# Use ed25519 (modern, secure, fast)
# Avoid RSA < 4096 bits
# Avoid DSA (deprecated)
# Configure SSH agent
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519_work
# Test connection
ssh -T git@github.com
# Use different keys for different services
# ~/.ssh/config
Host github.com
IdentityFile ~/.ssh/id_ed25519_github
Host gitlab.com
IdentityFile ~/.ssh/id_ed25519_gitlab
HTTPS Credentials
# Use credential manager (not plaintext!)
# Windows
git config --global credential.helper wincred
# macOS
git config --global credential.helper osxkeychain
# Linux (libsecret)
git config --global credential.helper /usr/share/git/credential/libsecret/git-credential-libsecret
# Cache for limited time (temporary projects)
git config --global credential.helper 'cache --timeout=3600'
Personal Access Tokens (PAT)
GitHub:
- Settings → Developer settings → Personal access tokens → Fine-grained tokens
- Set expiration (max 1 year)
- Minimum scopes needed
- Use for HTTPS authentication
Never commit tokens:
# Use environment variable
export GITHUB_TOKEN="ghp_xxxxxxxxxxxx"
git clone https://$GITHUB_TOKEN@github.com/user/repo.git
# Or use Git credential helper
gh auth login # GitHub CLI method
CodeQL & Security Scanning
GitHub CodeQL
.github/workflows/codeql.yml:
name: "CodeQL Security Scan"
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 0 * * 1' # Weekly scan
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
strategy:
fail-fast: false
matrix:
language: [ 'javascript', 'python', 'java' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"
Detects:
- SQL injection
- XSS vulnerabilities
- Path traversal
- Command injection
- Insecure deserialization
- Authentication bypass
- Hardcoded secrets
Audit Trail
Enable detailed logging
# Log all Git operations
git config --global alias.ll 'log --all --graph --decorate --oneline --show-signature'
# Check commit verification
git log --show-signature -10
# Export audit log
git log --pretty=format:"%H,%an,%ae,%ad,%s" --date=iso > git-audit.csv
# Verify all commits in branch
git log --show-signature main..HEAD
Security Checklist
Repository Setup:
- ☑ Enable branch protection
- ☑ Require signed commits
- ☑ Enable secret scanning with push protection
- ☑ Enable CodeQL or similar scanning
- ☑ Configure Dependabot/Renovate
- ☑ Require 2FA for all contributors
Developer Workstation:
- ☑ Use GPG or SSH commit signing
- ☑ Configure credential manager (never plaintext)
- ☑ Install and configure gitleaks
- ☑ Create comprehensive .gitignore
- ☑ Enable fsckobjects for transfers
- ☑ Use SSH keys with passphrase
Workflow:
- ☑ Never commit secrets
- ☑ Review changes before commit
- ☑ Verify signatures on pull/merge
- ☑ Regular security audits
- ☑ Rotate credentials periodically
- ☑ Use environment variables for secrets
Incident Response
Secret leaked in commit:
# 1. Rotate compromised credentials IMMEDIATELY
# 2. Remove from latest commit (if not pushed)
git reset HEAD~1
# Edit files to remove secret
git add .
git commit -m "Remove secrets"
# 3. If pushed, remove from history
git filter-repo --path config/secrets.yml --invert-paths
git push --force
# 4. Notify team to re-clone
# 5. Enable push protection to prevent future leaks
Unsigned commits detected:
# Identify unsigned commits
git log --show-signature | grep "No signature"
# Re-sign commits (if you authored them)
git rebase --exec 'git commit --amend --no-edit -n -S' -i HEAD~10
# Force push (with team coordination)
git push --force-with-lease
Resources
You Might Also Like
Related Skills
create-pr
170Kdev-devops
Creates GitHub pull requests with properly formatted titles that pass the check-pr-title CI validation. Use when creating PRs, submitting changes for review, or when the user says /pr or asks to create a pull request.
n8n-io
electron-chromium-upgrade
120Kdev-devops
Guide for performing Chromium version upgrades in the Electron project. Use when working on the roller/chromium/main branch to fix patch conflicts during `e sync --3`. Covers the patch application workflow, conflict resolution, analyzing upstream Chromium changes, and proper commit formatting for patch fixes.
electron
pr-creator
92Kdev-devops
Use this skill when asked to create a pull request (PR). It ensures all PRs follow the repository's established templates and standards.
google-gemini
clawdhub
87Kdev-devops
Use the ClawdHub CLI to search, install, update, and publish agent skills from clawdhub.com. Use when you need to fetch new skills on the fly, sync installed skills to latest or a specific version, or publish new/updated skill folders with the npm-installed clawdhub CLI.
moltbottmux
87Kdev-devops
Remote-control tmux sessions for interactive CLIs by sending keystrokes and scraping pane output.
moltbot
create-pull-request
57Kdev-devops
Create a GitHub pull request following project conventions. Use when the user asks to create a PR, submit changes for review, or open a pull request. Handles commit analysis, branch management, and PR creation using the gh CLI tool.
cline