gitsecurityazure-devopsspoofingaudit-trail

Prevent spoofing on git repositories on Azure DevOps


It seems pretty easy to spoof other users in a Git repository on Azure DevOps, since there is no built in way of preventing this.

I can change the committer using

git config --global user.email "foo@bar.baz"
git config --global user.name "foo"

And I can change the author using

git commit --author="foo <foo@bar.baz>"

Azure DevOps allows me to simply push these changes. Again, there doesn't seem to be a default way to make ensure commits are really from the claimed author.

Author: foo / Committed: bart1 / Pushed: bart2

Of course, I am shown as the person who pushed them. However, if my repository is ever moved to another Azure DevOps project, this information will not be transferred to the new location, because there the code is pushed by the user performing the move.

If we need to know for sure who changed what code, for auditing reasons, what would be the best approach? Is this at all possible in Azure DevOps with Git? Or do we need to switch to a different source control system?


Solution

  • If we need to know for sure who changed what code, for auditing reasons, what would be the best approach?

    You should have your developers cryptographically sign their commits using GPG Keys. See documentation from GitHub, or the Git book, etc.

    You should also configure your CI environment to reject commits that do not have a valid signature.