Security Best Practices
Credential Management
Secure Credential Storage
## Use Git's credential helper
git config --global credential.helper cache
git config --global credential.helper 'cache --timeout=3600'
## For more secure storage
git config --global credential.helper store
Token and Key Rotation
## Generate new SSH key
ssh-keygen -t rsa -b 4096 -f ~/.ssh/new_key
## Update GitHub/GitLab SSH keys
## Manually remove old public key
Two-Factor Authentication (2FA)
Enabling 2FA
Platform |
2FA Method |
Setup Location |
GitHub |
TOTP/SMS |
Settings > Security |
GitLab |
TOTP/U2F |
Profile > Account |
Bitbucket |
TOTP |
Account Settings |
Access Control Strategies
Repository Permission Model
graph TD
A[Repository] --> B[Read Access]
A --> C[Write Access]
A --> D[Admin Access]
B --> E[Viewers]
C --> F[Contributors]
D --> G[Owners/Managers]
Implementing Least Privilege
## Example: Limit repository access
## On GitHub/GitLab
## - Create specific user roles
## - Assign minimal necessary permissions
Secure Git Configuration
## Prevent accidental credential commits
git config --global credential.helper cache
git config --global core.excludesfile ~/.gitignore_global
## Sample .gitignore_global
echo "*.credentials" >> ~/.gitignore_global
echo "*.token" >> ~/.gitignore_global
Advanced Security Techniques
Git Hooks for Security
## Pre-commit hook to prevent sensitive data
#!/bin/bash
## Check for potential credentials
if git diff --cached | grep -E "password|token|key"; then
echo "Potential credentials detected!"
exit 1
fi
LabEx Security Recommendations
- Use SSH keys over passwords
- Implement comprehensive 2FA
- Regularly audit repository access
- Use encrypted communication
- Implement strict access controls
Security Monitoring
graph LR
A[Security Monitoring] --> B[Access Logs]
A --> C[Unusual Activity Detection]
A --> D[Periodic Access Review]
B --> E[Track Login Attempts]
C --> F[Identify Potential Threats]
D --> G[Remove Unnecessary Access]
Key Security Principles
Principle |
Description |
Implementation |
Least Privilege |
Minimal necessary access |
Role-based permissions |
Regular Rotation |
Frequent credential changes |
Automated key/token updates |
Comprehensive Logging |
Detailed access tracking |
Centralized security monitoring |