securegit 0.8.5

Zero-trust git replacement with 12 built-in security scanners, LLM redteam bridge, universal undo, durable backups, and a 50-tool MCP server
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394

# SecureGit Usage Tips and Best Practices

## Command Aliases

If `securegit` feels too long to type, create an alias:

### Bash/Zsh

Add to `~/.bashrc` or `~/.zshrc`:

```bash
# Short alias
alias sgit='securegit'

# Even shorter
alias sg='securegit'

# Common workflows
alias sgacquire='securegit acquire'
alias sgscan='securegit scan'
alias sgplugin='securegit plugin'
```

**Usage:**
```bash
# Instead of
securegit acquire https://github.com/user/repo /tmp/repo

# Use
sgit acquire https://github.com/user/repo /tmp/repo

# Or
sg acquire https://github.com/user/repo /tmp/repo
```

### Fish Shell

Add to `~/.config/fish/config.fish`:

```fish
alias sgit='securegit'
alias sg='securegit'
```

### Windows PowerShell

Add to PowerShell profile:

```powershell
Set-Alias -Name sgit -Value securegit
Set-Alias -Name sg -Value securegit
```

### Git-Style Alias

For a git-like workflow:

```bash
alias git-secure='securegit acquire'
```

**Usage:**
```bash
# Clone-like syntax
git-secure https://github.com/user/repo /tmp/repo
```

## Workflow Integration

### Replace `git clone`

**Traditional workflow:**
```bash
git clone https://github.com/user/untrusted-repo
cd untrusted-repo
```

**SecureGit workflow:**
```bash
sgit acquire https://github.com/user/untrusted-repo untrusted-repo
cd untrusted-repo
```

### Pre-Commit Hook

Add to `.git/hooks/pre-commit`:

```bash
#!/bin/bash
# Scan staged files before commit

sgit scan --staged --fail-on high || {
    echo "Security scan failed. Commit blocked."
    exit 1
}
```

### Development Alias Collection

Create a `~/.securegit_aliases` file:

```bash
# Quick scan current directory
alias scan-here='sgit scan .'

# Scan with specific plugins only
alias scan-secrets='sgit scan . --plugins secrets,gitleaks'

# Scan and ignore common false positives
alias scan-clean='sgit scan . --skip-paths "**/node_modules/**,**/vendor/**"'

# Quick plugin check
alias plugin-status='sgit plugin list && sgit plugin check-updates'

# Acquire to specific safe directory
alias safe-clone='sgit acquire'

# Scan PR branch
alias scan-pr='git diff main --name-only | xargs sgit scan'
```

Source in your shell:
```bash
echo "source ~/.securegit_aliases" >> ~/.bashrc
```

## Beta Tester Recommendations

### Suggested Aliases for Testing

**Minimal setup:**
```bash
alias sgit='securegit'
```

**Comfortable setup:**
```bash
alias sgit='securegit'
alias sgacq='securegit acquire'
alias sgscan='securegit scan'
alias sgplug='securegit plugin'
```

**Power user setup:**
```bash
# Main command
alias sgit='securegit'

# Subcommands
alias sgacq='securegit acquire'
alias sgscan='securegit scan'
alias sgplug='securegit plugin'

# Common workflows
alias safe-clone='securegit acquire'
alias scan-here='securegit scan .'
alias scan-deep='securegit scan . --include-git'
alias plugin-update='securegit plugin update --all'

# Integration with git
alias git-safe='securegit acquire'
alias git-scan='securegit scan'
```

### Feedback Request

During beta testing, please share:
- What alias(es) you use
- Whether the default name is too long
- If we should provide default aliases
- Suggested alternative command names

## Alternative Command Names

If testing reveals strong preference, we could consider:

### Shorter Options
- `sgit` - Secure Git (4 chars)
- `safegit` - Safe Git (7 chars)
- `secgit` - Secure Git (6 chars)

### Alternative Concepts
- `trustless` - Emphasizes zero-trust
- `verigit` - Verification + Git
- `cleangit` - Clean/sanitized Git

### Feedback Question
**Which feels most natural to you?**
- [ ] `securegit` (current)
- [ ] `sgit`
- [ ] `safegit`
- [ ] `secgit`
- [ ] Other: ___________

## Binary Naming Convention

Current recommendation: Keep `securegit` as the official binary name, let users alias as preferred.

**Rationale:**
- Clear, descriptive name for discovery
- No ambiguity about purpose
- Users can easily alias to preference
- Documentation uses consistent name

**Compromise:**
- Ship with example aliases in README
- Include shell completion for common aliases
- Document aliasing in quick start guide

## Tab Completion

Enable tab completion for the alias:

### Bash

```bash
# Add to ~/.bashrc
complete -F _securegit sgit
complete -F _securegit sg
```

### Zsh

```zsh
# Add to ~/.zshrc
compdef sgit=securegit
compdef sg=securegit
```

## Environment Variables

Customize behavior with environment variables:

```bash
# Use custom config directory
export SECUREGIT_CONFIG_DIR=~/.config/my-securegit

# Default severity threshold
export SECUREGIT_FAIL_ON=high

# Skip certain paths by default
export SECUREGIT_SKIP_PATHS="**/node_modules/**:**/vendor/**"

# Enable verbose output
export SECUREGIT_VERBOSE=1
```

Add to aliases:
```bash
alias sgit='SECUREGIT_VERBOSE=1 securegit'
```

## Quick Reference Card

Print this and keep near your desk during testing:

```
SecureGit Quick Reference

ACQUISITION:
  sgit acquire <url> <path>     Clone safely
  sgit acquire <url> .          Acquire to current dir

SCANNING:
  sgit scan <path>               Basic scan
  sgit scan . --fail-on high     Fail on high severity
  sgit scan . --include-git      Scan .git directory

PLUGINS:
  sgit plugin list               Show installed
  sgit plugin install <name>     Install plugin
  sgit plugin check-updates      Check for updates
  sgit plugin update --all       Update all plugins

HELP:
  sgit --help                    Main help
  sgit <command> --help          Command help
  sgit --version                 Show version

CONFIG:
  ~/.config/securegit/config.toml
  ~/.config/securegit/plugins/
```

## Productivity Tips

### 1. Scan Before Reviewing

```bash
# Acquire and scan in one line
sgit acquire https://github.com/user/repo /tmp/repo && sgit scan /tmp/repo
```

### 2. Background Scanning

```bash
# Scan in background, review results later
sgit scan large-repo > scan-results.txt 2>&1 &
```

### 3. Filter by Severity

```bash
# Only show critical and high
sgit scan . --min-severity high
```

### 4. JSON Output for Tooling

```bash
# Get JSON output for parsing
sgit scan . --format json > results.json

# Use with jq
sgit scan . --format json | jq '.findings[] | select(.severity == "critical")'
```

### 5. Incremental Scanning

```bash
# Scan only changed files (git-aware)
git diff --name-only main | xargs sgit scan

# Scan staged files
git diff --cached --name-only | xargs sgit scan
```

## Beta Test Specific Tips

### Daily Testing Routine

**Morning:**
```bash
sgit plugin check-updates
```

**Before using new dependency:**
```bash
sgit acquire <repo-url> /tmp/check-repo
sgit scan /tmp/check-repo
# Review results, then use if safe
```

**Before committing:**
```bash
sgit scan --staged
```

**End of day:**
```bash
# Quick feedback note
echo "$(date): Tested <feature>, found <issue>" >> ~/securegit-notes.txt
```

### Feedback Collection Helpers

Create feedback alias:
```bash
alias sgfeedback='echo "Feature: | Like: | Dislike: | Bug: " >> ~/securegit-feedback.txt && vim ~/securegit-feedback.txt'
```

### Testing Checklist Alias

```bash
alias sgtest='cat << EOF
SecureGit Testing Checklist
[ ] Install/update worked
[ ] Acquired a repository
[ ] Ran a scan
[ ] Installed a plugin
[ ] Found a bug? Report it
[ ] Quick feedback: sgfeedback
EOF'
```

## Share Your Setup!

During beta testing, please share:
1. Your alias configuration
2. Any custom scripts or integrations
3. Workflow improvements you discovered
4. What made you more productive

This helps us:
- Provide better default configuration
- Create better documentation
- Understand real usage patterns
- Build features users actually want

## Conclusion

The command name `securegit` is intentionally descriptive, but we recognize it can feel verbose for daily use. Setting up aliases takes 30 seconds and makes the tool feel much more natural.

**Recommendation for beta testers:** Start with `alias sgit='securegit'` and see how it feels. Share what works for you!