Git, a version control system, is one of the most commonly found tools in a developer’s arsenal. With 100 million active users on GitHub alone, the system’s popularity is undeniable. Despite these numbers, many users aren’t aware of the optional security measures it provides. Because they’re not implemented as standard, they’re easily missed – but often crucial for your organization’s integrity.

Immersive Labs is the first platform to interactively teach you all you need to know about these security measures, with our new Git Security collection.

The True Cost of Bad Git Security

There are tens of millions of public Git repositories on the internet. Now consider this: personal repositories are public by default. This can prove especially troublesome if an employee accidentally sets themselves as the repository owner instead of their organization. How many of those public repositories should have been private? How many contain proprietary code, credentials, or other secrets?

There is a recent upwards trend of ransomware operators and threat groups stealing source code for blackmail and ransom. Meanwhile, stolen and compromised credentials stand out in IBM’s 2022 Cost of a Data Breach report. According to the report, they’re the most common initial attack vector in data breaches. At 327 days, they also result in the longest mean time to identify and contain the breach. As far as cost to the target organization goes, they’ve been among the top five for years. Leaked secrets and credentials are not uncommon in Git repositories. To make matters worse, they’re not always dealt with correctly, even when they’re detected.

A Real-World Example

Back in 2020, a hospital employee in Brazil committed a spreadsheet containing credentials to a public repository. This mistake made two government databases public, which held the personal information of 16 million patients and prominent figures, including the president of Brazil at the time. The labs in our new collection include more interesting anecdotes and cautionary tales proving that Git security is essential in daily operations.

Beyond the initial attack, compromised accounts can be used to inject malicious code into repositories. The first step to mitigate this is to shift left with more secure authentication methods. But you should also take a defense-in-depth approach and prepare for the worst. This requires checking the authenticity of commits made to a repository.

Our New Series

The new Git Security labs cover the vulnerabilities and security measures discussed and more. The series will start you off with the basics and set you on your way to becoming a Git guru with the following labs:

These labs contain our very own Git hosting service called Metrolio, which is akin to popular services like GitHub. To complete them all, you’ll have to use both the web interface and the command line interface. Your reward at the end will be a Git Security badge and a security-first mindset in how you use Git day to day.

Check Out Immersive Labs in the News.


February 8, 2023


Git Security


Sabrina Aytac

Application Security Engineer