The critical role of signed commits in software security
The software that powers enterprises' innovations, products, and services today has established itself as one of the top assets for businesses, increasing the importance of taking appropriate measures to secure and govern source code repositories. With the growing adoption of AI-powered source code management platforms like GitHub, it's essential to review the code repository security features to reduce the likelihood and impact of these crown jewels being compromised.
GitHub provides a robust platform for collaboration, code management, and version control, and the repositories can pose a significant risk if not protected effectively. These source code repositories store the intellectual property (IP) of organizations, and proper management of these repositories is crucial to maintaining the integrity and security of business-critical software. The absence of robust repository security measures increases the potential for vulnerabilities and unauthorized access to sensitive projects.
A vital aspect of code integrity is validating the authenticity of the source of changes. Signed commits enable development teams to verify that the code changes originate from a trusted developer. In organizations where code reviews and approvals are crucial, especially for critical applications, a genuine Git signature significantly increases the likelihood that appropriately authorized personnel have reviewed and approved proposed changes.
To contextualize security levels: standard practices involve username and password authentication, stepping up to enhanced security incorporates Multi-Factor Authentication (MFA) for better protection, and achieving optimal security combines these methods with signed commits for the best line of defense. This layered approach, starting from expected login measures to the best practice of signed commits, is essential for organizations to bolster their software development environment, ensuring every access point and code change is thoroughly authenticated and verified, thereby maintaining the highest confidence in security and integrity.
GitHub provides native functionality for code signing using GPG (GNU Privacy Guard), SSH (Secure Shell), or S/MIME (Secure/Multipurpose Internet Mail Extensions) to cryptographically sign each commit, verifying that the changes originated from a trusted collaborator and that no unauthorized modifications occurred. Implementing signed commits is crucial for organizations to maintain a secure software development environment by providing confidence in the following areas:
To leverage signed commits effectively and maintain code integrity in your organization's GitHub repositories, consider the following best practices:
Emphasizing the importance of signed commits and ensuring that code integrity is maintained throughout your organization's software development process is crucial for mitigating security risks. Organizations can better safeguard their IP and maintain a secure GitHub environment by implementing the recommended practices — such as enforcing a company-wide policy, providing training, verifying commits, adhering to secure key management, and conducting regular audits.
Due to the sensitive and mission-critical data in code repositories, it’s not enough to simply scan the code itself for vulnerabilities: investing in robust repository security is now table stakes, and implementing signed commits supports codebase integrity and helps drive a proactive security culture.
KPMG is a Microsoft Alliance partner and has supported large organizations’ GitHub security efforts for years, enabling organizations to focus more on innovation and growth.