Your source-control system is one of the most sensitive links in your software development life cycle. It stores the software source code, build scripts, and IaC (Infrastructure as Code) scripts, and in some cases secrets and additional sensitive information. Thus, securing the source-control system should be one of your first steps in securing the software development environment.
Aiming to help protect the SCM, we developed GitGat. GitGat is a set of self-contained OPA (Open Policy Agent) policies written in Rego. The use of OPA enables multiple use cases, as part of other OPA-based tools or as stand-alone applications. GitGat evaluates the security settings of your SCM account and provides you with a status report and actionable recommendations. The status report can be generated in a human-readable form (MD file) for the security practitioner, or in a machine-readable form (JSON file), to support automated policy decisions and actions.
As GitHub is one of the world’s leading SCM systems we wanted that to be our starting point. We eventually aim to expand support to other SCM platforms.
GitGat currently supports evaluating the following policy families:
- Access control – prevent initial-access techniques based on credential theft.
- Validate that 2-factor authentication is enforced on your organization or its members, understanding who does not currently use 2FA.
- Validate that repository visibility is as planned.
- Validate control of deploy and SSH keys.
- Permissions – prevent attack steps that stem from excessive permissions execution, defense evasion, credential access,
- Map users with admin permissions
- Map team permissions and notify teams with admin permissions
- Branch Protection – prevent attack steps that exploit unintended and unpermitted repository modifications: execution, persistence, defense evasion, and impact
- Map protected and unprotected branches
- Map branch protection configuration – to understand which protections are in place (for example: enforcing reviews and signed commits, and preventing deletion of history).
- File Modification Tracking – prevent\detect attack steps that exploit file access permissions that are granted by default when using GitHub: execution, persistence, and defense evasion.
We are planning on adding secret scanning support utilizing open-source tools such as git-leaks.
As every security practitioner knows, security rules and policies are usually a basis for project-specific decisions. Each project comes with special conditions and constraints that require special approvals by an authorized stakeholder. To enable easy management of such special cases, GitGat supports managing a state. The state, a JSON object maintained by the user, can store such exceptions. This enables you to run a continuous scan of the security posture and only be alerted on what is new, or not included in your state.
Detailed threat analysis as to why we chose these issues as the starting point in improving the SCM’s security posture can be found in the README of the GitGat repository.
We invite everyone to give the project a try. Feel free to offer criticism, ideas, requests, or even help. There are many directions this project can grow into, and we’re excited to explore them with you.