Let's say I have a GitHub repository that has a config file for a CI/CD tool, e.g. Jenkins. In my CI/CD pipeline, I have a unit test step, in which all unit tests inside tests directory of the repository are run. Now in this case, someone malicious, who has access to the repository may add a malicious script inside the tests directory. Is there a way to tell GitHub to ignore pushes that have changes to the tests directory???
Asked
Active
Viewed 40 times
0
-
What if there are legitimate changes to that directory? – Stephen Newell Oct 07 '22 at 15:42
-
@StephenNewell maybe the repository owner could specify who is authorized to modify mentioned files. – ssaf Oct 07 '22 at 16:00
1 Answers
2
You don't let malicious people have write access to your repository. Git isn't the right solution here.
YSC
- 38,212
- 9
- 96
- 149
-
what if non-malicious user's laptop has been stolen by a malicious one :) – ssaf Oct 07 '22 at 17:00
-
2@ssaf - If you're concerned about stolen laptops, disable commits to mainline without a PR. Require encrypted hard drives and strong passphrases on ssh keys. Figure out what threats you're actually concerned about and focus on that, not some hypothetical burglar who happens to figure out they can commit malicious content to a repo before your employee reports the stolen laptop and revokes any credentials on that box. – Stephen Newell Oct 07 '22 at 21:40