Prevent spoofing on git repositories on Azure DevOps
It seems pretty easy to spoof other users in a Git repository on Azure DevOps, since there is no built in way of preventing this.
I can change the committer using
git config --global user.email "[email protected]"
git config --global user.name "foo"
And I can change the author using
git commit --author="foo <[email protected]>"
Azure DevOps allows me to simply push these changes. Again, there doesn't seem to be a default way to make ensure commits are really from the claimed author.
Of course, I am shown as the person who pushed them. However, if my repository is ever moved to another Azure DevOps project, this information will not be transferred to the new location, because there the code is pushed by the user performing the move.
If we need to know for sure who changed what code, for auditing reasons, what would be the best approach? Is this at all possible in Azure DevOps with Git? Or do we need to switch to a different source control system?
If we need to know for sure who changed what code, for auditing reasons, what would be the best approach?
You should have your developers cryptographically sign their commits using GPG Keys. See documentation from GitHub, or the Git book, etc.
You should also configure your CI environment to reject commits that do not have a valid signature.
- How to remove file from Git history?
- What is the difference between push.default "matching" and "simple"
- Differences between Commit, Commit and Push, Commit and Sync
- Using 'vue create <projectname>', git add . doesn't seem to work
- Is there a way to use a Mercurial repository as Git submodule?
- Restore a deleted folder in a Git repo
- GitLab SSH Clone Failing
- Why does git status show branch is up-to-date when changes exist upstream?
- How do I undo a revert in Git?
- exclude directory clang format
- Git Bash (mintty) is extremely slow on Windows 10 OS
- How to prevent a Git repository growing above a maximum size?
- I have duplicated commits after pull request, How can I get rid of this?
- Git safe restore to old commit and return to latest
- How to "git merge" without creating a merge commit?
- How to solve "Unable to find git in your PATH" on Flutter?
- git pushes with wrong user from terminal
- Yaml Pipeline: Add condition for each environment to use a specific agent from the agent pool
- Remove a file from Git in Visual Studio
- Adding a README.md file to a c# project in Visual Studio 2015
- How to force git merge to only add one folder
- How do I force "git pull" to overwrite local files?
- Break a previous commit into multiple commits
- Move the most recent commit(s) to a new branch with Git
- GitHub: Working on two branches locally
- Your branch is ahead of 'origin/master' by 3 commits
- Git keeps asking me for my ssh key passphrase
- WinMerge - ignore all whitespace including newlines and formatting changes
- Why is there no "update:" conventional commit? Should we always use "feat:" when updating?
- Shallow AND Sparse GIT Repository Clone