π¨ CRITICAL GUIDELINES
Windows File Path Requirements
MANDATORY: Always Use Backslashes on Windows for File Paths
When using Edit or Write tools on Windows, you MUST use backslashes (
) in file paths, NOT forward slashes (/
).
Examples:
-
β WRONG: D:/repos/project/file.tsx
-
β CORRECT: D:\repos\project\file.tsx
This applies to:
-
Edit tool file_path parameter
-
Write tool file_path parameter
-
All file operations on Windows systems
Documentation Guidelines
NEVER create new documentation files unless explicitly requested by the user.
-
Priority: Update existing README.md files rather than creating new documentation
-
Repository cleanliness: Keep repository root clean - only README.md unless user requests otherwise
-
Style: Documentation should be concise, direct, and professional - avoid AI-generated tone
-
User preference: Only create additional .md files when user specifically asks for documentation
Git Security Best Practices 2025
Zero-Trust Security Model (2025 Standard)
What: Every developer identity must be authenticated and authorized explicitly. All Git operations are logged, signed, and continuously monitored.
Core Principles:
-
Never trust, always verify - Every commit verified
-
Least privilege access - Minimal permissions required
-
Continuous monitoring - All operations logged and audited
-
Assume breach - Defense in depth strategies
Implementing Zero-Trust for Git
- Mandatory Signed Commits:
Global requirement
git config --global commit.gpgsign true git config --global tag.gpgsign true
Enforce via branch protection (GitHub/GitLab/Azure DevOps)
Repository Settings β Branches β Require signed commits
- Identity Verification:
Every commit must verify identity
git log --show-signature -10
Reject unsigned commits in CI/CD
.github/workflows/verify.yml
- name: Verify all commits are signed run: | git log --pretty="%H" origin/main..HEAD | while read commit; do if ! git verify-commit "$commit" 2>/dev/null; then echo "ERROR: Unsigned commit $commit" exit 1 fi done
- Continuous Audit Logging:
Enable Git audit trail
git config --global alias.audit 'log --all --pretty="%H|%an|%ae|%ad|%s|%GK" --date=iso'
Export audit log
git audit > git-audit.log
Monitor for suspicious activity
git log --author="*" --since="24 hours ago" --pretty=format:"%an %ae %s"
- Least Privilege Access:
GitHub branch protection (zero-trust model)
branches: main: protection_rules: required_pull_request_reviews: true dismiss_stale_reviews: true require_code_owner_reviews: true required_approving_review_count: 2 require_signed_commits: true enforce_admins: true restrictions: users: [] # No direct push teams: ["security-team"]
- Continuous Monitoring:
Monitor all repository changes
.github/workflows/security-monitor.yml
name: Security Monitoring on: [push, pull_request] jobs: monitor: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0
- name: Check for unsigned commits
run: git verify-commit HEAD || echo "::warning::Unsigned commit detected"
- name: Scan for secrets
run: gitleaks detect --exit-code 1
- name: Check commit author
run: |
AUTHOR=$(git log -1 --format='%an <%ae>')
echo "Commit by: $AUTHOR"
# Log to SIEM/security monitoring
Signed Commits (Mandatory in 2025)
Why: Cryptographically verify commit authorship, prevent impersonation, ensure audit trail.
Industry Trend: Signed commits increasingly required in 2025 workflows.
GPG Signing (Traditional)
Setup:
Generate GPG key
gpg --full-generate-key
Choose: RSA and RSA, 4096 bits, expires in 2y
List keys
gpg --list-secret-keys --keyid-format=long
Example output:
sec rsa4096/ABC123DEF456 2025-01-15 [SC] [expires: 2027-01-15]
uid [ultimate] Your Name <your.email@example.com>
ssb rsa4096/GHI789JKL012 2025-01-15 [E] [expires: 2027-01-15]
Configure Git
git config --global user.signingkey ABC123DEF456 git config --global commit.gpgsign true git config --global tag.gpgsign true
Export public key for GitHub/GitLab
gpg --armor --export ABC123DEF456
Copy output and add to GitHub/GitLab/Bitbucket
Sign commits
git commit -S -m "feat: add authentication"
Verify signatures
git log --show-signature git verify-commit HEAD git verify-tag v1.0.0
Troubleshooting:
GPG agent not running
export GPG_TTY=$(tty) echo 'export GPG_TTY=$(tty)' >> ~/.bashrc
Cache passphrase longer
echo 'default-cache-ttl 34560000' >> ~/.gnupg/gpg-agent.conf echo 'max-cache-ttl 34560000' >> ~/.gnupg/gpg-agent.conf gpg-connect-agent reloadagent /bye
Test signing
echo "test" | gpg --clearsign
SSH Signing (Modern Alternative - 2023+)
Why SSH: Simpler, reuse existing SSH keys, no GPG required.
Setup:
Check if SSH key exists
ls -la ~/.ssh/id_ed25519.pub
Generate if needed
ssh-keygen -t ed25519 -C "your.email@example.com"
Configure Git to use SSH signing
git config --global gpg.format ssh git config --global user.signingkey ~/.ssh/id_ed25519.pub git config --global commit.gpgsign true
Add public key to GitHub
cat ~/.ssh/id_ed25519.pub
GitHub Settings β SSH and GPG keys β New SSH key β Key type: Signing Key
Sign commits (automatic with commit.gpgsign=true)
git commit -m "feat: add feature"
Verify
git log --show-signature
Configure allowed signers file (for verification):
Create allowed signers file
echo "your.email@example.com $(cat ~/.ssh/id_ed25519.pub)" > ~/.ssh/allowed_signers
Configure Git
git config --global gpg.ssh.allowedSignersFile ~/.ssh/allowed_signers
Verify commits
git verify-commit HEAD
Secret Scanning & Prevention
GitHub Secret Scanning (Push Protection)
Enable in repository:
-
Settings β Code security β Secret scanning β Enable
-
Enable push protection (blocks secrets at push time)
AI-powered detection (2025):
-
AWS credentials
-
Azure service principals
-
Google Cloud keys
-
GitHub tokens
-
Database connection strings
-
API keys (OpenAI, Stripe, Anthropic, etc.)
-
Private keys
-
OAuth tokens
-
Custom patterns
Example blocked push:
$ git push remote: error: GH013: Repository rule violations found for refs/heads/main. remote: remote: - Push cannot contain secrets remote: remote: Resolve the following violations before pushing again remote: remote: β AWS Access Key remote: locations: remote: - config.py:12 remote: remote: (Disable push protection: https://github.com/settings/security_analysis) remote: To github.com:user/repo.git ! [remote rejected] main -> main (push declined due to repository rule violations)
Fix:
Remove secret from file
Use environment variable instead
echo "AWS_ACCESS_KEY=your_key" >> .env echo ".env" >> .gitignore
Remove from history if already committed
git rm --cached config.py git commit -m "Remove secrets"
If in history, use filter-repo
git filter-repo --path config.py --invert-paths git push --force
Gitleaks (Local Scanning)
Install:
macOS
brew install gitleaks
Linux
wget https://github.com/gitleaks/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz tar -xzf gitleaks_8.18.0_linux_x64.tar.gz sudo mv gitleaks /usr/local/bin/
Windows
choco install gitleaks
Usage:
Scan entire repository
gitleaks detect
Scan uncommitted changes
gitleaks protect
Scan specific directory
gitleaks detect --source ./src
Generate report
gitleaks detect --report-format json --report-path gitleaks-report.json
Use in CI/CD
gitleaks detect --exit-code 1
Pre-commit hook:
.git/hooks/pre-commit
#!/bin/bash gitleaks protect --staged --verbose if [ $? -ne 0 ]; then echo "β οΈ Gitleaks detected secrets. Commit blocked." exit 1 fi
Git-secrets (AWS-focused)
Install
brew install git-secrets # macOS
or
git clone https://github.com/awslabs/git-secrets.git cd git-secrets sudo make install
Initialize in repository
git secrets --install git secrets --register-aws
Add custom patterns
git secrets --add 'password\s*=\s*[^\s]+' git secrets --add 'api[_-]?key\s*=\s*[^\s]+'
Scan
git secrets --scan git secrets --scan-history
Enforce Signed Commits
Branch Protection Rules
GitHub:
Repository β Settings β Branches β Branch protection rules β Require signed commits β Require linear history β Require status checks to pass
GitLab:
Repository β Settings β Repository β Protected branches β Allowed to push: No one β Allowed to merge: Maintainers β Require all commits be signed
Azure DevOps:
Branch Policies β Add policy β Require signed commits
Pre-receive Hook (Server-side enforcement)
#!/bin/bash
.git/hooks/pre-receive (on server)
zero_commit="0000000000000000000000000000000000000000"
while read oldrev newrev refname; do
Skip branch deletion
if [ "$newrev" = "$zero_commit" ]; then continue fi
Check all commits in push
for commit in $(git rev-list "$oldrev".."$newrev"); do # Verify commit signature if ! git verify-commit "$commit" 2>/dev/null; then echo "Error: Commit $commit is not signed" echo "All commits must be signed. Configure with:" echo " git config commit.gpgsign true" exit 1 fi done done
exit 0
Security Configuration
Recommended Git Config
Enforce signed commits
git config --global commit.gpgsign true git config --global tag.gpgsign true
Use SSH signing (modern)
git config --global gpg.format ssh git config --global user.signingkey ~/.ssh/id_ed25519.pub
Security settings
git config --global protocol.version 2 git config --global transfer.fsckobjects true git config --global fetch.fsckobjects true git config --global receive.fsckobjects true
Prevent credential leaks
git config --global credential.helper cache --timeout=3600
Or use system credential manager
git config --global credential.helper wincred # Windows git config --global credential.helper osxkeychain # macOS
Line ending safety
git config --global core.autocrlf true # Windows git config --global core.autocrlf input # macOS/Linux
Editor safety (avoid nano/vim leaks)
git config --global core.editor "code --wait"
.gitignore Security
Secrets
.env .env.* *.pem *.key *.p12 *.pfx *_rsa *_dsa *_ecdsa *_ed25519 credentials.json secrets.yaml config/secrets.yml
Cloud provider
.aws/ .azure/ .gcloud/ gcloud-service-key.json
Databases
*.sqlite *.db
Logs (may contain sensitive data)
*.log logs/
IDE secrets
.vscode/settings.json .idea/workspace.xml
Build artifacts (may contain embedded secrets)
dist/ build/ node_modules/ vendor/
Credential Management
SSH Keys
Generate secure SSH key
ssh-keygen -t ed25519 -C "your.email@example.com" -f ~/.ssh/id_ed25519_work
Use ed25519 (modern, secure, fast)
Avoid RSA < 4096 bits
Avoid DSA (deprecated)
Configure SSH agent
eval "$(ssh-agent -s)" ssh-add ~/.ssh/id_ed25519_work
Test connection
ssh -T git@github.com
Use different keys for different services
~/.ssh/config
Host github.com IdentityFile ~/.ssh/id_ed25519_github
Host gitlab.com IdentityFile ~/.ssh/id_ed25519_gitlab
HTTPS Credentials
Use credential manager (not plaintext!)
Windows
git config --global credential.helper wincred
macOS
git config --global credential.helper osxkeychain
Linux (libsecret)
git config --global credential.helper /usr/share/git/credential/libsecret/git-credential-libsecret
Cache for limited time (temporary projects)
git config --global credential.helper 'cache --timeout=3600'
Personal Access Tokens (PAT)
GitHub:
-
Settings β Developer settings β Personal access tokens β Fine-grained tokens
-
Set expiration (max 1 year)
-
Minimum scopes needed
-
Use for HTTPS authentication
Never commit tokens:
Use environment variable
export GITHUB_TOKEN="ghp_xxxxxxxxxxxx" git clone https://$GITHUB_TOKEN@github.com/user/repo.git
Or use Git credential helper
gh auth login # GitHub CLI method
CodeQL & Security Scanning
GitHub CodeQL
.github/workflows/codeql.yml:
name: "CodeQL Security Scan"
on: push: branches: [ main, develop ] pull_request: branches: [ main ] schedule: - cron: '0 0 * * 1' # Weekly scan
jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: security-events: write contents: read
strategy:
fail-fast: false
matrix:
language: [ 'javascript', 'python', 'java' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"
Detects:
-
SQL injection
-
XSS vulnerabilities
-
Path traversal
-
Command injection
-
Insecure deserialization
-
Authentication bypass
-
Hardcoded secrets
Audit Trail
Enable detailed logging
Log all Git operations
git config --global alias.ll 'log --all --graph --decorate --oneline --show-signature'
Check commit verification
git log --show-signature -10
Export audit log
git log --pretty=format:"%H,%an,%ae,%ad,%s" --date=iso > git-audit.csv
Verify all commits in branch
git log --show-signature main..HEAD
Security Checklist
Repository Setup:
-
β Enable branch protection
-
β Require signed commits
-
β Enable secret scanning with push protection
-
β Enable CodeQL or similar scanning
-
β Configure Dependabot/Renovate
-
β Require 2FA for all contributors
Developer Workstation:
-
β Use GPG or SSH commit signing
-
β Configure credential manager (never plaintext)
-
β Install and configure gitleaks
-
β Create comprehensive .gitignore
-
β Enable fsckobjects for transfers
-
β Use SSH keys with passphrase
Workflow:
-
β Never commit secrets
-
β Review changes before commit
-
β Verify signatures on pull/merge
-
β Regular security audits
-
β Rotate credentials periodically
-
β Use environment variables for secrets
Incident Response
Secret leaked in commit:
1. Rotate compromised credentials IMMEDIATELY
2. Remove from latest commit (if not pushed)
git reset HEAD~1
Edit files to remove secret
git add . git commit -m "Remove secrets"
3. If pushed, remove from history
git filter-repo --path config/secrets.yml --invert-paths git push --force
4. Notify team to re-clone
5. Enable push protection to prevent future leaks
Unsigned commits detected:
Identify unsigned commits
git log --show-signature | grep "No signature"
Re-sign commits (if you authored them)
git rebase --exec 'git commit --amend --no-edit -n -S' -i HEAD~10
Force push (with team coordination)
git push --force-with-lease
Resources
-
Git Signing Documentation
-
GitHub Secret Scanning
-
Gitleaks Documentation
-
CodeQL Documentation