🚨 Secure Git Guide 🚨

Here we attempt to help any developer to use GIT and GitHub more securely. Any challenges that we are facing in terms of security will be registered here. You will find information on how to use GIT securely in development work. This guide is the result of our team actively developing a pure GIT / GitHub infrastructure for repository optimization and automation during which we encountered security challenges.

This is a website based on a WIP repository where we will be adding new things as we keep developing. The contents takes two forms: articles and lists of resources.

Topics that are covered among others:

• GPG and how we use it for projects.
• GPG basic and more advanced uses in relation to GIT and GitHub.
• GitHub secrets, tokens, etc.
• GIT vs GitHub differences.
• etc.

Suggestions, petitions on articles, contributions, etc 🤓🤡👍

If you would like to contribute with your experience, have a question or would like to make a correction or suggestion. You are more than welcome.

We encourage you to tell us. This is a team effort meant to benefit everyone.

If you would like to do so, please go and open a discussion on the topic, challenge you are facing, improvement we could make etc. We are all ears.

The way we work is simple:

• A new discussion is opened
• We discuss it publicly with you
• If it makes a new addition to the guide we create an issue.
• You can create the new document or extend or amend an existing one

Here is the link to setting up a new discussion, we look forward to it: https://github.com/Nautilus-Cyberneering/secure-git-guide/discussions.

We will be eternally thankful and add you to our credits at the bottom of our index.

Articles 🔑🔒

• What is GPG? (gpg)
• Why we use GPG (gpg, github)
• GPG 101 - How to get your first GPG Keys (gpg)
• How to use GPG with GIT and GitHub (gpg,github)
• Best Practices (gpg)
• Other Uses (gpg)
• How to create a subkey for signing (gpg)
• How to use a signing key independently from the primary key (gpg)
• Git commits partially verified (gpg, github)
• How to remove commits by their commit message (github)
• How to import the dependabot GPG public key (gpg, github)
• How GitHub Actions can get access to secrets (github)
• Sharing GitHub secrets with third-party actions (github, gh-actions)
• How to use Git as a database (git)

Resources

• Curated List of Resources (gpg, github)

Suggestions and Contact

If you would like to contact us or make any suggestions or comments please do so via:

A new issue in our GitHub repository: https://github.com/Nautilus-Cyberneering/secure-git-guide/issues

or

Email: info@nautilus-cyberneering.de

👑👑👑 Credits 👑👑👑

Thank you to all the contributors from our team at Nautilus Cyberneering!!!