Securing Git Repositories for GitOps

2 min read Infrastructure & DevOps Security

Securing Git Repositories for GitOps

Repository security forms the foundation of GitOps security. Compromised repositories could allow attackers to modify infrastructure definitions, potentially creating backdoors, exposing data, or causing service disruptions. Multi-layered repository security controls protect against both external attacks and insider threats.

Branch protection rules enforce security workflows by requiring reviews before infrastructure changes merge. Production branches should require multiple approvals from authorized team members. Automated security scans should pass before allowing merges. These controls ensure human oversight and automated validation for all infrastructure changes.

# GitHub repository security configuration for GitOps
# .github/settings.yml

repository:
  name: infrastructure-gitops
  description: GitOps repository for production infrastructure
  homepage: https://docs.internal.com/gitops
  private: true
  has_issues: true
  has_projects: false
  has_wiki: false
  has_downloads: false
  default_branch: main
  allow_squash_merge: true
  allow_merge_commit: false
  allow_rebase_merge: false
  delete_branch_on_merge: true
  enable_automated_security_fixes: true
  enable_vulnerability_alerts: true

branches:
  - name: main
    protection:
      required_pull_request_reviews:
        required_approving_review_count: 2
        dismiss_stale_reviews: true
        require_code_owner_reviews: true
        dismissal_restrictions:
          teams:
            - security-team
            - platform-team
      required_status_checks:
        strict: true
        contexts:
          - security/scan-terraform
          - security/scan-kubernetes
          - security/validate-policies
          - security/sign-commits
      enforce_admins: true
      required_linear_history: true
      restrictions:
        users: []
        teams:
          - platform-team
          - security-team
      required_signatures: true
      lock_branch: false
      allow_force_pushes: false
      allow_deletions: false

  - name: staging
    protection:
      required_pull_request_reviews:
        required_approving_review_count: 1
      required_status_checks:
        contexts:
          - security/scan-terraform
          - security/scan-kubernetes
      required_signatures: true

# CODEOWNERS for security-sensitive paths
# /production/            @platform-team @security-team
# /rbac/                  @security-team
# /network-policies/      @security-team @network-team
# /secrets-management/    @security-team
# /.github/               @security-team

Signed commits provide cryptographic proof of authorship and protect against repository tampering. Requiring GPG-signed commits ensures all changes come from verified contributors. This protection becomes critical in GitOps where repository contents directly control infrastructure.

Access control granularity prevents overly broad permissions. Teams should have repository access limited to their areas of responsibility. Read-only access suffices for most team members, with write access restricted to approved contributors. API tokens for GitOps agents should have minimal required permissions.