Search code examples
version-controlcode-organizationmonorepo

How to manage codebase rights with a monorepo?

I need your advice about codebase management and security. I have a monorepo that contains:

  • Several backend services.
  • Frontend projects like the landing page, the users’ documentation, and the web app.
  • Infrastructure described with CDK.

I think it could be dangerous to let every developer in every position (freelance, intern, frontend...) access all the codebase.

For example, a frontend freelancer should be able to execute backends services without reading the code. Or a designer with competence in JS should be able to update landing page only.

Is it overkill? Has anyone already tried to use git subtree to keep a monorepo and all advantages of it, and split every project in their repository? With that I can set rights by repository and use CI at 2 levels:

  • Unit and functional tests by single repo.
  • e2e and CD on the monorepo.

But it does not solve the problem of execution-only rights. All advice or resources are welcome.

Solution

  • As outlined in gitnamespaces(7), a user who can read a repository can read everything in it:

    The fetch and push protocols are not designed to prevent one side from stealing data from the other repository that was not intended to be shared. If you have private data that you need to protect from a malicious peer, your best option is to store it in another repository. This applies to both clients and servers.

    If you have the need for separate access controls, you'll need to have separate repositories. You may be able to use git subtree to incorporate those repositories into a monorepo, but of course anyone who has read access to the monorepo will have read access to every portion of it.

    In addition, providing execute-only access to a repository is impossible. For interpreted languages, it is required that the user have access to read the file because the interpreter must read it. Even for compiled languages, most modern operating systems require read permissions in order to execute the binary. You could provide binaries as artifacts in CI for people without access to that repository to use, provided you're using a compiled language, but this would be a hassle and a dedicated user could still decompile the binary.

    I should point out that the way most major companies handle this problem is to use separate repositories for separate access and to use NDAs or other legal mechanisms to ensure code is not exposed. After all, you are trusting your employees to write code that is original, of good quality, and not malicious (and presumably you are compensating them and treating them accordingly). As a result, it's often reasonable to allow developers to access the entire source code of a project they need to work on while also trusting them not to expose it to others.