Securing Git Repositories with Gittuf - Aditya Sirish A Yelgundhalli & Billy Lynch

Securing Git Repositories with Gittuf - Aditya Sirish A Yelgundhalli, New York University & Billy Lynch, Chainguard

Git is a critical part of our software supply chain - it holds source code that the rest of our supply chain relies on for CI/CD, IaC, and more. The security of Git repositories today relies on a combination of protections offered by code-hosting sites (GitHub, GitLab, etc.) and features built into Git (commit and tag signatures). Unfortunately, security properties provided by these features are often hard to verify over time to know what policies were applied when a commit was merged. In this talk, we present gittuf, an OpenSSF sandbox project that provides a security layer for Git repositories. gittuf embeds security policies within a repo to enforce rules such as what keys are trusted to sign commits and tags, or even who is allowed to write to a branch or a file. We'll look at how gittuf can be used to distribute, rotate, and revoke trusted keys (GPG / SSH / Sigstore Gitsign) and policies for the repository. We will demonstrate how gittuf makes policy enforcement transparent, auditable, and open so that any gittuf user can confirm policy compliance. Finally, we'll explore how gittuf fits into the broader software supply chain security efforts like SLSA, in-toto, and Sigstore.