⚠️

重要前提

安装AI Skills的关键前提是：必须科学上网，且开启TUN模式，这一点至关重要，直接决定安装能否顺利完成，在此郑重提醒三遍：科学上网，科学上网，科学上网。查看完整安装教程 →

Git安全最佳实践2025：零信任模型、签名提交与Windows路径规范

git-security-2025 by josiahsiegel/claude-plugin-marketplace

66 周安装量

21 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/josiahsiegel/claude-plugin-marketplace --skill git-security-2025

开发运维版本控制安全

🇨🇳中文介绍

🚨 关键准则

Windows 文件路径要求

强制规定：在 Windows 上始终对文件路径使用反斜杠

在 Windows 上使用编辑或写入工具时，您必须在文件路径中使用反斜杠 (\)，而不是正斜杠 (/)。

示例：

❌ 错误：D:/repos/project/file.tsx
✅ 正确：D:\repos\project\file.tsx

这适用于：

Edit 工具的 file_path 参数
Write 工具的 file_path 参数
Windows 系统上的所有文件操作

文档编写准则

除非用户明确要求，否则切勿创建新的文档文件。

优先级：更新现有的 README.md 文件，而不是创建新的文档
仓库整洁性：保持仓库根目录整洁 - 除非用户另有要求，否则只保留 README.md
风格：文档应简洁、直接且专业 - 避免 AI 生成的语气

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

Git 安全最佳实践 2025

零信任安全模型（2025 标准）

是什么： 每个开发者身份都必须经过明确的身份验证和授权。所有 Git 操作都会被记录、签名并持续监控。

永不信任，始终验证 - 每个提交都需验证
最小权限访问 - 仅授予所需的最小权限
持续监控 - 记录并审计所有操作
假设已被入侵 - 纵深防御策略

为 Git 实施零信任

1. 强制签名提交：

# 全局要求
git config --global commit.gpgsign true
git config --global tag.gpgsign true

# 通过分支保护强制执行（GitHub/GitLab/Azure DevOps）
# 仓库设置 → 分支 → 要求签名提交

2. 身份验证：

# 每个提交都必须验证身份
git log --show-signature -10

# 在 CI/CD 中拒绝未签名的提交
# .github/workflows/verify.yml
- name: Verify all commits are signed
  run: |
    git log --pretty="%H" origin/main..HEAD | while read commit; do
      if ! git verify-commit "$commit" 2>/dev/null; then
        echo "ERROR: Unsigned commit $commit"
        exit 1
      fi
    done

3. 持续审计日志记录：

# 启用 Git 审计追踪
git config --global alias.audit 'log --all --pretty="%H|%an|%ae|%ad|%s|%GK" --date=iso'

# 导出审计日志
git audit > git-audit.log

# 监控可疑活动
git log --author="*" --since="24 hours ago" --pretty=format:"%an %ae %s"

4. 最小权限访问：

# GitHub 分支保护（零信任模型）
branches:
  main:
    protection_rules:
      required_pull_request_reviews: true
      dismiss_stale_reviews: true
      require_code_owner_reviews: true
      required_approving_review_count: 2
      require_signed_commits: true
      enforce_admins: true
      restrictions:
        users: []  # 禁止直接推送
        teams: ["security-team"]

5. 持续监控：

# 监控所有仓库变更
# .github/workflows/security-monitor.yml
name: Security Monitoring
on: [push, pull_request]
jobs:
  monitor:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Check for unsigned commits
        run: git verify-commit HEAD || echo "::warning::Unsigned commit detected"

      - name: Scan for secrets
        run: gitleaks detect --exit-code 1

      - name: Check commit author
        run: |
          AUTHOR=$(git log -1 --format='%an <%ae>')
          echo "Commit by: $AUTHOR"
          # 记录到 SIEM/安全监控系统

签名提交（2025 年强制要求）

原因： 加密验证提交作者身份，防止冒名顶替，确保审计追踪。

行业趋势： 在 2025 年的工作流程中，签名提交的要求日益普遍。

GPG 签名（传统方式）

# 生成 GPG 密钥
gpg --full-generate-key
# 选择：RSA and RSA, 4096 位，2 年后过期

# 列出密钥
gpg --list-secret-keys --keyid-format=long

# 示例输出：
# sec   rsa4096/ABC123DEF456 2025-01-15 [SC] [expires: 2027-01-15]
# uid                 [ultimate] Your Name <your.email@example.com>
# ssb   rsa4096/GHI789JKL012 2025-01-15 [E] [expires: 2027-01-15]

# 配置 Git
git config --global user.signingkey ABC123DEF456
git config --global commit.gpgsign true
git config --global tag.gpgsign true

# 导出公钥以用于 GitHub/GitLab
gpg --armor --export ABC123DEF456
# 复制输出内容并添加到 GitHub/GitLab/Bitbucket

# 签名提交
git commit -S -m "feat: add authentication"

# 验证签名
git log --show-signature
git verify-commit HEAD
git verify-tag v1.0.0

# GPG 代理未运行
export GPG_TTY=$(tty)
echo 'export GPG_TTY=$(tty)' >> ~/.bashrc

# 延长密码短语缓存时间
echo 'default-cache-ttl 34560000' >> ~/.gnupg/gpg-agent.conf
echo 'max-cache-ttl 34560000' >> ~/.gnupg/gpg-agent.conf
gpg-connect-agent reloadagent /bye

# 测试签名
echo "test" | gpg --clearsign

SSH 签名（现代替代方案 - 2023+）

为何选择 SSH： 更简单，重用现有的 SSH 密钥，无需 GPG。

# 检查 SSH 密钥是否存在
ls -la ~/.ssh/id_ed25519.pub

# 如果需要则生成
ssh-keygen -t ed25519 -C "your.email@example.com"

# 配置 Git 使用 SSH 签名
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true

# 将公钥添加到 GitHub
cat ~/.ssh/id_ed25519.pub
# GitHub 设置 → SSH and GPG keys → New SSH key → Key type: Signing Key

# 签名提交（commit.gpgsign=true 时自动进行）
git commit -m "feat: add feature"

# 验证
git log --show-signature

配置允许的签名者文件（用于验证）：

# 创建允许的签名者文件
echo "your.email@example.com $(cat ~/.ssh/id_ed25519.pub)" > ~/.ssh/allowed_signers

# 配置 Git
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers

# 验证提交
git verify-commit HEAD

密钥扫描与预防

GitHub 密钥扫描（推送保护）

在仓库中启用：

设置 → 代码安全 → 密钥扫描 → 启用
启用推送保护（在推送时阻止密钥）

AI 驱动的检测（2025）：

AWS 凭证
Azure 服务主体
Google Cloud 密钥
GitHub 令牌
数据库连接字符串
API 密钥（OpenAI, Stripe, Anthropic 等）
私钥
OAuth 令牌
自定义模式

推送被阻止的示例：

$ git push
remote: error: GH013: Repository rule violations found for refs/heads/main.
remote:
remote: - Push cannot contain secrets
remote:
remote:   Resolve the following violations before pushing again
remote:
remote:   — AWS Access Key
remote:     locations:
remote:       - config.py:12
remote:
remote:   (Disable push protection: https://github.com/settings/security_analysis)
remote:
To github.com:user/repo.git
 ! [remote rejected] main -> main (push declined due to repository rule violations)

# 从文件中移除密钥
# 改用环境变量
echo "AWS_ACCESS_KEY=your_key" >> .env
echo ".env" >> .gitignore

# 如果已提交，则从历史记录中移除
git rm --cached config.py
git commit -m "Remove secrets"

# 如果在历史记录中，使用 filter-repo
git filter-repo --path config.py --invert-paths
git push --force

Gitleaks（本地扫描）

# macOS
brew install gitleaks

# Linux
wget https://github.com/gitleaks/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz
tar -xzf gitleaks_8.18.0_linux_x64.tar.gz
sudo mv gitleaks /usr/local/bin/

# Windows
choco install gitleaks

# 扫描整个仓库
gitleaks detect

# 扫描未提交的更改
gitleaks protect

# 扫描特定目录
gitleaks detect --source ./src

# 生成报告
gitleaks detect --report-format json --report-path gitleaks-report.json

# 在 CI/CD 中使用
gitleaks detect --exit-code 1

预提交钩子：

# .git/hooks/pre-commit
#!/bin/bash
gitleaks protect --staged --verbose
if [ $? -ne 0 ]; then
    echo "⚠️  Gitleaks detected secrets. Commit blocked."
    exit 1
fi

Git-secrets（专注于 AWS）

# 安装
brew install git-secrets  # macOS
# 或
git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
sudo make install

# 在仓库中初始化
git secrets --install
git secrets --register-aws

# 添加自定义模式
git secrets --add 'password\s*=\s*[^\s]+'
git secrets --add 'api[_-]?key\s*=\s*[^\s]+'

# 扫描
git secrets --scan
git secrets --scan-history

强制执行签名提交

Repository → Settings → Branches → Branch protection rules
☑ Require signed commits
☑ Require linear history
☑ Require status checks to pass

Repository → Settings → Repository → Protected branches
☑ Allowed to push: No one
☑ Allowed to merge: Maintainers
☑ Require all commits be signed

Branch Policies → Add policy → Require signed commits

预接收钩子（服务器端强制执行）

#!/bin/bash
# .git/hooks/pre-receive (on server)

zero_commit="0000000000000000000000000000000000000000"

while read oldrev newrev refname; do
  # 跳过分支删除
  if [ "$newrev" = "$zero_commit" ]; then
    continue
  fi

  # 检查推送中的所有提交
  for commit in $(git rev-list "$oldrev".."$newrev"); do
    # 验证提交签名
    if ! git verify-commit "$commit" 2>/dev/null; then
      echo "Error: Commit $commit is not signed"
      echo "All commits must be signed. Configure with:"
      echo "  git config commit.gpgsign true"
      exit 1
    fi
  done
done

exit 0

.gitignore 安全性

# 密钥
.env
.env.*
*.pem
*.key
*.p12
*.pfx
*_rsa
*_dsa
*_ecdsa
*_ed25519
credentials.json
secrets.yaml
config/secrets.yml

# 云提供商
.aws/
.azure/
.gcloud/
gcloud-service-key.json

# 数据库
*.sqlite
*.db

# 日志（可能包含敏感数据）
*.log
logs/

# IDE 密钥
.vscode/settings.json
.idea/workspace.xml

# 构建产物（可能包含嵌入式密钥）
dist/
build/
node_modules/
vendor/

# 生成安全的 SSH 密钥
ssh-keygen -t ed25519 -C "your.email@example.com" -f ~/.ssh/id_ed25519_work

# 使用 ed25519（现代、安全、快速）
# 避免使用小于 4096 位的 RSA
# 避免使用 DSA（已弃用）

# 配置 SSH 代理
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519_work

# 测试连接
ssh -T git@github.com

# 为不同服务使用不同的密钥
# ~/.ssh/config
Host github.com
  IdentityFile ~/.ssh/id_ed25519_github

Host gitlab.com
  IdentityFile ~/.ssh/id_ed25519_gitlab

# 使用凭证管理器（而非明文！）

# Windows
git config --global credential.helper wincred

# macOS
git config --global credential.helper osxkeychain

# Linux (libsecret)
git config --global credential.helper /usr/share/git/credential/libsecret/git-credential-libsecret

# 缓存有限时间（临时项目）
git config --global credential.helper 'cache --timeout=3600'

个人访问令牌（PAT）

设置 → 开发者设置 → 个人访问令牌 → 细粒度令牌
设置过期时间（最长 1 年）
仅授予所需的最小范围
用于 HTTPS 身份验证

切勿提交令牌：

# 使用环境变量
export GITHUB_TOKEN="ghp_xxxxxxxxxxxx"
git clone https://$GITHUB_TOKEN@github.com/user/repo.git

# 或使用 Git 凭证助手
gh auth login  # GitHub CLI 方法

CodeQL 与安全扫描

.github/workflows/codeql.yml：

name: "CodeQL Security Scan"

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '0 0 * * 1'  # 每周扫描

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read

    strategy:
      fail-fast: false
      matrix:
        language: [ 'javascript', 'python', 'java' ]

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
        queries: security-and-quality

    - name: Autobuild
      uses: github/codeql-action/autobuild@v3

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3
      with:
        category: "/language:${{ matrix.language }}"

SQL 注入
XSS 漏洞
路径遍历
命令注入
不安全的反序列化
身份验证绕过
硬编码密钥

启用详细日志记录

# 记录所有 Git 操作
git config --global alias.ll 'log --all --graph --decorate --oneline --show-signature'

# 检查提交验证
git log --show-signature -10

# 导出审计日志
git log --pretty=format:"%H,%an,%ae,%ad,%s" --date=iso > git-audit.csv

# 验证分支中的所有提交
git log --show-signature main..HEAD

☑ 启用分支保护
☑ 要求签名提交
☑ 启用密钥扫描并开启推送保护
☑ 启用 CodeQL 或类似扫描
☑ 配置 Dependabot/Renovate
☑ 要求所有贡献者启用 2FA

开发者工作站：

☑ 使用 GPG 或 SSH 提交签名
☑ 配置凭证管理器（切勿使用明文）
☑ 安装并配置 gitleaks
☑ 创建全面的 .gitignore
☑ 为传输启用 fsckobjects
☑ 使用带密码短语的 SSH 密钥

☑ 切勿提交密钥
☑ 提交前审查更改
☑ 在拉取/合并时验证签名
☑ 定期进行安全审计
☑ 定期轮换凭证
☑ 使用环境变量存储密钥

提交中泄露密钥：

# 1. 立即轮换已泄露的凭证
# 2. 从最新提交中移除（如果尚未推送）
git reset HEAD~1
# 编辑文件以移除密钥
git add .
git commit -m "Remove secrets"

# 3. 如果已推送，则从历史记录中移除
git filter-repo --path config/secrets.yml --invert-paths
git push --force

# 4. 通知团队重新克隆
# 5. 启用推送保护以防止未来泄露

检测到未签名提交：

# 识别未签名的提交
git log --show-signature | grep "No signature"

# 重新签名提交（如果是您创建的）
git rebase --exec 'git commit --amend --no-edit -n -S' -i HEAD~10

# 强制推送（需与团队协调）
git push --force-with-lease

🇺🇸English

🚨 CRITICAL GUIDELINES

Windows File Path Requirements

MANDATORY: Always Use Backslashes on Windows for File Paths

When using Edit or Write tools on Windows, you MUST use backslashes (\) in file paths, NOT forward slashes (/).

Examples:

❌ WRONG: D:/repos/project/file.tsx
✅ CORRECT: D:\repos\project\file.tsx

This applies to:

Edit tool file_path parameter
Write tool file_path parameter
All file operations on Windows systems

Documentation Guidelines

NEVER create new documentation files unless explicitly requested by the user.

Priority : Update existing README.md files rather than creating new documentation
Repository cleanliness : Keep repository root clean - only README.md unless user requests otherwise
Style : Documentation should be concise, direct, and professional - avoid AI-generated tone
User preference : Only create additional .md files when user specifically asks for documentation

Git Security Best Practices 2025

Zero-Trust Security Model (2025 Standard)

What: Every developer identity must be authenticated and authorized explicitly. All Git operations are logged, signed, and continuously monitored.

Core Principles:

Never trust, always verify - Every commit verified
Least privilege access - Minimal permissions required
Continuous monitoring - All operations logged and audited
Assume breach - Defense in depth strategies

Implementing Zero-Trust for Git

1. Mandatory Signed Commits:

# Global requirement
git config --global commit.gpgsign true
git config --global tag.gpgsign true

# Enforce via branch protection (GitHub/GitLab/Azure DevOps)
# Repository Settings → Branches → Require signed commits

2. Identity Verification:

# Every commit must verify identity
git log --show-signature -10

# Reject unsigned commits in CI/CD
# .github/workflows/verify.yml
- name: Verify all commits are signed
  run: |
    git log --pretty="%H" origin/main..HEAD | while read commit; do
      if ! git verify-commit "$commit" 2>/dev/null; then
        echo "ERROR: Unsigned commit $commit"
        exit 1
      fi
    done

3. Continuous Audit Logging:

# Enable Git audit trail
git config --global alias.audit 'log --all --pretty="%H|%an|%ae|%ad|%s|%GK" --date=iso'

# Export audit log
git audit > git-audit.log

# Monitor for suspicious activity
git log --author="*" --since="24 hours ago" --pretty=format:"%an %ae %s"

4. Least Privilege Access:

# GitHub branch protection (zero-trust model)
branches:
  main:
    protection_rules:
      required_pull_request_reviews: true
      dismiss_stale_reviews: true
      require_code_owner_reviews: true
      required_approving_review_count: 2
      require_signed_commits: true
      enforce_admins: true
      restrictions:
        users: []  # No direct push
        teams: ["security-team"]

5. Continuous Monitoring:

# Monitor all repository changes
# .github/workflows/security-monitor.yml
name: Security Monitoring
on: [push, pull_request]
jobs:
  monitor:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Check for unsigned commits
        run: git verify-commit HEAD || echo "::warning::Unsigned commit detected"

      - name: Scan for secrets
        run: gitleaks detect --exit-code 1

      - name: Check commit author
        run: |
          AUTHOR=$(git log -1 --format='%an <%ae>')
          echo "Commit by: $AUTHOR"
          # Log to SIEM/security monitoring

Signed Commits (Mandatory in 2025)

Why: Cryptographically verify commit authorship, prevent impersonation, ensure audit trail.

Industry Trend: Signed commits increasingly required in 2025 workflows.

GPG Signing (Traditional)

Setup:

# Generate GPG key
gpg --full-generate-key
# Choose: RSA and RSA, 4096 bits, expires in 2y

# List keys
gpg --list-secret-keys --keyid-format=long

# Example output:
# sec   rsa4096/ABC123DEF456 2025-01-15 [SC] [expires: 2027-01-15]
# uid                 [ultimate] Your Name <your.email@example.com>
# ssb   rsa4096/GHI789JKL012 2025-01-15 [E] [expires: 2027-01-15]

# Configure Git
git config --global user.signingkey ABC123DEF456
git config --global commit.gpgsign true
git config --global tag.gpgsign true

# Export public key for GitHub/GitLab
gpg --armor --export ABC123DEF456
# Copy output and add to GitHub/GitLab/Bitbucket

# Sign commits
git commit -S -m "feat: add authentication"

# Verify signatures
git log --show-signature
git verify-commit HEAD
git verify-tag v1.0.0

Troubleshooting:

# GPG agent not running
export GPG_TTY=$(tty)
echo 'export GPG_TTY=$(tty)' >> ~/.bashrc

# Cache passphrase longer
echo 'default-cache-ttl 34560000' >> ~/.gnupg/gpg-agent.conf
echo 'max-cache-ttl 34560000' >> ~/.gnupg/gpg-agent.conf
gpg-connect-agent reloadagent /bye

# Test signing
echo "test" | gpg --clearsign

SSH Signing (Modern Alternative - 2023+)

Why SSH: Simpler, reuse existing SSH keys, no GPG required.

Setup:

# Check if SSH key exists
ls -la ~/.ssh/id_ed25519.pub

# Generate if needed
ssh-keygen -t ed25519 -C "your.email@example.com"

# Configure Git to use SSH signing
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true

# Add public key to GitHub
cat ~/.ssh/id_ed25519.pub
# GitHub Settings → SSH and GPG keys → New SSH key → Key type: Signing Key

# Sign commits (automatic with commit.gpgsign=true)
git commit -m "feat: add feature"

# Verify
git log --show-signature

Configure allowed signers file (for verification):

# Create allowed signers file
echo "your.email@example.com $(cat ~/.ssh/id_ed25519.pub)" > ~/.ssh/allowed_signers

# Configure Git
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers

# Verify commits
git verify-commit HEAD

Secret Scanning & Prevention

GitHub Secret Scanning (Push Protection)

Enable in repository:

Settings → Code security → Secret scanning → Enable
Enable push protection (blocks secrets at push time)

AI-powered detection (2025):

AWS credentials
Azure service principals
Google Cloud keys
GitHub tokens
Database connection strings
API keys (OpenAI, Stripe, Anthropic, etc.)
Private keys
OAuth tokens
Custom patterns

Example blocked push:

$ git push
remote: error: GH013: Repository rule violations found for refs/heads/main.
remote:
remote: - Push cannot contain secrets
remote:
remote:   Resolve the following violations before pushing again
remote:
remote:   — AWS Access Key
remote:     locations:
remote:       - config.py:12
remote:
remote:   (Disable push protection: https://github.com/settings/security_analysis)
remote:
To github.com:user/repo.git
 ! [remote rejected] main -> main (push declined due to repository rule violations)

Fix:

# Remove secret from file
# Use environment variable instead
echo "AWS_ACCESS_KEY=your_key" >> .env
echo ".env" >> .gitignore

# Remove from history if already committed
git rm --cached config.py
git commit -m "Remove secrets"

# If in history, use filter-repo
git filter-repo --path config.py --invert-paths
git push --force

Gitleaks (Local Scanning)

Install:

# macOS
brew install gitleaks

# Linux
wget https://github.com/gitleaks/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz
tar -xzf gitleaks_8.18.0_linux_x64.tar.gz
sudo mv gitleaks /usr/local/bin/

# Windows
choco install gitleaks

Usage:

# Scan entire repository
gitleaks detect

# Scan uncommitted changes
gitleaks protect

# Scan specific directory
gitleaks detect --source ./src

# Generate report
gitleaks detect --report-format json --report-path gitleaks-report.json

# Use in CI/CD
gitleaks detect --exit-code 1

Pre-commit hook:

# .git/hooks/pre-commit
#!/bin/bash
gitleaks protect --staged --verbose
if [ $? -ne 0 ]; then
    echo "⚠️  Gitleaks detected secrets. Commit blocked."
    exit 1
fi

Git-secrets (AWS-focused)

# Install
brew install git-secrets  # macOS
# or
git clone https://github.com/awslabs/git-secrets.git
cd git-secrets
sudo make install

# Initialize in repository
git secrets --install
git secrets --register-aws

# Add custom patterns
git secrets --add 'password\s*=\s*[^\s]+'
git secrets --add 'api[_-]?key\s*=\s*[^\s]+'

# Scan
git secrets --scan
git secrets --scan-history

Enforce Signed Commits

Branch Protection Rules

GitHub:

Repository → Settings → Branches → Branch protection rules
☑ Require signed commits
☑ Require linear history
☑ Require status checks to pass

GitLab:

Repository → Settings → Repository → Protected branches
☑ Allowed to push: No one
☑ Allowed to merge: Maintainers
☑ Require all commits be signed

Azure DevOps:

Branch Policies → Add policy → Require signed commits

Pre-receive Hook (Server-side enforcement)

#!/bin/bash
# .git/hooks/pre-receive (on server)

zero_commit="0000000000000000000000000000000000000000"

while read oldrev newrev refname; do
  # Skip branch deletion
  if [ "$newrev" = "$zero_commit" ]; then
    continue
  fi

  # Check all commits in push
  for commit in $(git rev-list "$oldrev".."$newrev"); do
    # Verify commit signature
    if ! git verify-commit "$commit" 2>/dev/null; then
      echo "Error: Commit $commit is not signed"
      echo "All commits must be signed. Configure with:"
      echo "  git config commit.gpgsign true"
      exit 1
    fi
  done
done

exit 0

Security Configuration

Recommended Git Config

# Enforce signed commits
git config --global commit.gpgsign true
git config --global tag.gpgsign true

# Use SSH signing (modern)
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub

# Security settings
git config --global protocol.version 2
git config --global transfer.fsckobjects true
git config --global fetch.fsckobjects true
git config --global receive.fsckobjects true

# Prevent credential leaks
git config --global credential.helper cache --timeout=3600
# Or use system credential manager
git config --global credential.helper wincred  # Windows
git config --global credential.helper osxkeychain  # macOS

# Line ending safety
git config --global core.autocrlf true  # Windows
git config --global core.autocrlf input  # macOS/Linux

# Editor safety (avoid nano/vim leaks)
git config --global core.editor "code --wait"

.gitignore Security

# Secrets
.env
.env.*
*.pem
*.key
*.p12
*.pfx
*_rsa
*_dsa
*_ecdsa
*_ed25519
credentials.json
secrets.yaml
config/secrets.yml

# Cloud provider
.aws/
.azure/
.gcloud/
gcloud-service-key.json

# Databases
*.sqlite
*.db

# Logs (may contain sensitive data)
*.log
logs/

# IDE secrets
.vscode/settings.json
.idea/workspace.xml

# Build artifacts (may contain embedded secrets)
dist/
build/
node_modules/
vendor/

Credential Management

SSH Keys

# Generate secure SSH key
ssh-keygen -t ed25519 -C "your.email@example.com" -f ~/.ssh/id_ed25519_work

# Use ed25519 (modern, secure, fast)
# Avoid RSA < 4096 bits
# Avoid DSA (deprecated)

# Configure SSH agent
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519_work

# Test connection
ssh -T git@github.com

# Use different keys for different services
# ~/.ssh/config
Host github.com
  IdentityFile ~/.ssh/id_ed25519_github

Host gitlab.com
  IdentityFile ~/.ssh/id_ed25519_gitlab

HTTPS Credentials

# Use credential manager (not plaintext!)

# Windows
git config --global credential.helper wincred

# macOS
git config --global credential.helper osxkeychain

# Linux (libsecret)
git config --global credential.helper /usr/share/git/credential/libsecret/git-credential-libsecret

# Cache for limited time (temporary projects)
git config --global credential.helper 'cache --timeout=3600'

Personal Access Tokens (PAT)

GitHub:

Settings → Developer settings → Personal access tokens → Fine-grained tokens
Set expiration (max 1 year)
Minimum scopes needed
Use for HTTPS authentication

Never commit tokens:

# Use environment variable
export GITHUB_TOKEN="ghp_xxxxxxxxxxxx"
git clone https://$GITHUB_TOKEN@github.com/user/repo.git

# Or use Git credential helper
gh auth login  # GitHub CLI method

CodeQL & Security Scanning

GitHub CodeQL

.github/workflows/codeql.yml:

name: "CodeQL Security Scan"

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]
  schedule:
    - cron: '0 0 * * 1'  # Weekly scan

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read

    strategy:
      fail-fast: false
      matrix:
        language: [ 'javascript', 'python', 'java' ]

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
        queries: security-and-quality

    - name: Autobuild
      uses: github/codeql-action/autobuild@v3

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3
      with:
        category: "/language:${{ matrix.language }}"

Detects:

SQL injection
XSS vulnerabilities
Path traversal
Command injection
Insecure deserialization
Authentication bypass
Hardcoded secrets

Audit Trail

Enable detailed logging

# Log all Git operations
git config --global alias.ll 'log --all --graph --decorate --oneline --show-signature'

# Check commit verification
git log --show-signature -10

# Export audit log
git log --pretty=format:"%H,%an,%ae,%ad,%s" --date=iso > git-audit.csv

# Verify all commits in branch
git log --show-signature main..HEAD

Security Checklist

Repository Setup:

☑ Enable branch protection
☑ Require signed commits
☑ Enable secret scanning with push protection
☑ Enable CodeQL or similar scanning
☑ Configure Dependabot/Renovate
☑ Require 2FA for all contributors

Developer Workstation:

☑ Use GPG or SSH commit signing
☑ Configure credential manager (never plaintext)
☑ Install and configure gitleaks
☑ Create comprehensive .gitignore
☑ Enable fsckobjects for transfers
☑ Use SSH keys with passphrase

Workflow:

☑ Never commit secrets
☑ Review changes before commit
☑ Verify signatures on pull/merge
☑ Regular security audits
☑ Rotate credentials periodically
☑ Use environment variables for secrets

Incident Response

Secret leaked in commit:

# 1. Rotate compromised credentials IMMEDIATELY
# 2. Remove from latest commit (if not pushed)
git reset HEAD~1
# Edit files to remove secret
git add .
git commit -m "Remove secrets"

# 3. If pushed, remove from history
git filter-repo --path config/secrets.yml --invert-paths
git push --force

# 4. Notify team to re-clone
# 5. Enable push protection to prevent future leaks

Unsigned commits detected:

# Identify unsigned commits
git log --show-signature | grep "No signature"

# Re-sign commits (if you authored them)
git rebase --exec 'git commit --amend --no-edit -n -S' -i HEAD~10

# Force push (with team coordination)
git push --force-with-lease

Resources

Weekly Installs

Repository

josiahsiegel/cl…ketplace

GitHub Stars

First Seen

Jan 24, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Installed on

opencode52

claude-code52

gemini-cli52

codex49

cursor48

github-copilot44

Git安全最佳实践2025：零信任模型、签名提交与Windows路径规范

🇨🇳中文介绍

🚨 关键准则

Windows 文件路径要求

文档编写准则

相关 Skills

Git 安全最佳实践 2025

零信任安全模型（2025 标准）

为 Git 实施零信任

签名提交（2025 年强制要求）

GPG 签名（传统方式）

SSH 签名（现代替代方案 - 2023+）

密钥扫描与预防

GitHub 密钥扫描（推送保护）

Gitleaks（本地扫描）

Git-secrets（专注于 AWS）

强制执行签名提交

分支保护规则

预接收钩子（服务器端强制执行）

安全配置

推荐的 Git 配置

.gitignore 安全性

凭证管理

SSH 密钥

HTTPS 凭证

个人访问令牌（PAT）

CodeQL 与安全扫描

GitHub CodeQL

审计追踪

启用详细日志记录

安全检查清单

事件响应

资源

🇺🇸English

🚨 CRITICAL GUIDELINES

Windows File Path Requirements

Documentation Guidelines

Git Security Best Practices 2025

Zero-Trust Security Model (2025 Standard)

Implementing Zero-Trust for Git

Signed Commits (Mandatory in 2025)

GPG Signing (Traditional)

SSH Signing (Modern Alternative - 2023+)

Secret Scanning & Prevention

GitHub Secret Scanning (Push Protection)

Gitleaks (Local Scanning)

Git-secrets (AWS-focused)

Enforce Signed Commits

Branch Protection Rules

Pre-receive Hook (Server-side enforcement)

Security Configuration

Recommended Git Config

.gitignore Security

Credential Management

SSH Keys

HTTPS Credentials

Personal Access Tokens (PAT)

CodeQL & Security Scanning

GitHub CodeQL

Audit Trail

Enable detailed logging

Security Checklist

Incident Response

Resources

最新 Skills