Newsletter #1 (Part-2): Git & GitHub Workflow Deep Dive with DevSecOps Lens

🔄 What is Git and Why Version Control Matters?

Git is a Version Control System (VCS)—also known as a Revision Control System (RCS) or Source Code Manager (SCM). It functions as a repository that tracks and stores all historical versions (commits) of code, enabling you to restore any file to a previous state.

✅ Why Use a VCS Like Git?

• Backup & Recovery – Safeguards your code against loss or crashes.
• Version History – Keeps a detailed log of changes over time.
• Collaboration – Allows multiple developers to work on the same project effectively.
• Project Management – Helps coordinate features, fixes, and releases.

Fun Fact: Git was created by Linus Torvalds in 2005 to manage the development of the Linux kernel.

⚙️ Setting Up Git on Your Machine

To start using Git, you need to install and configure it on your local system:

• 🔽 Download & Install Git:

1. Windows / Mac: Get the installer from git-scm.com/downloads
2. Ubuntu/Linux: Use terminal: sudo apt-get install git

• 💻 Accessing Git Command Line:

1. Windows: Use Git Bash (bundled with the installer)
2. Mac/Linux: Use the Terminal

🛠️ Customize Git Configuration

Set-up User Name of remote repository (GitHub)

• Command: git config --global user.name "your-name"
• What It Does: Sets the global username for commits
• When to Use: When setting up Git for the first time on a machine
• Security Tip: Avoid using fake or shared usernames to maintain audit trails

Set-up Email address of the remote repository account (GitHub)

• Command: git config --global user.email "your-email@youremail.com"
• What It Does: Sets the global email address used in commit history
• When to Use: Required before making any commits
• Security Tip: Use a professional or company-verified email for traceability

🚀 Getting Started with a Local Git Repository

There are two primary ways to begin working with Git locally:

1. 🔧 Start Your Own Project: Initialize a brand-new Git repository in your current directory.
2. 📥 Clone an Existing Project: Copy a project hosted on a Git platform (like GitHub, GitLab, etc.) to your local machine.

🔁 Understanding Git's Three-Tier Architecture

Git works through a three-layered workflow:

• Edit files in the Working Area.
• Stage files with git add → moves them to the Staging Area.
• Commit staged files using git commit → saved to the Local Repository.

🔧How Git Works: Step-by-Step Walkthrough for DevSecOps

This edition provides a hands-on breakdown of how Git workflows function under the hood and how each step impacts your security posture. Let's walk through the full Git journey with security insights for every stage.

Here’s a detailed breakdown of the Git workflow from git init to git push, along with advanced DevOps-level Git skills.

1️⃣ Start a New Repo

• Command: git init
• What It Does: Initializes a new local Git repository (creates .git directory).
• When to Use: Starting a project from scratch.
• Security Tip: Make sure .git folder is never pushed into production environments. Use .gitignore properly to avoid metadata leaks.

2️⃣ Clone an Existing Remote Repo

• Command: git clone <repo-url>
• What It Does: Copies a remote repository to your local machine.
• Example: git clone https://github.com/username/project.git
• Security Tip: Use SSH or PAT (Personal Access Tokens) instead of basic HTTPS with passwords.

3️⃣ Check File Status

• Command: git status
• What It Does: Shows tracked/untracked files and staged/unstaged changes.
• Security Tip: Always check for sensitive files that should be excluded (e.g., .env, secrets.txt).

4️⃣ Stage Changes

• Command: git add <file> or git add .
• What It Does: Moves changes from Working Directory to the Staging Area.
• Security Tip: Double-check what files are staged using git diff --cached to prevent staging secrets.

5️⃣ View Changes Before Commit

• Command: git diff or git diff --staged
• What It Does: Shows what has changed in files (unstaged or staged).
• Security Tip: Review for accidental hardcoded passwords or tokens before committing.

6️⃣ Commit Changes

• Command: git commit -m "message"
• What It Does: Records staged changes to your local repo.
• Security Tip: Use git commit -S to sign commits for non-repudiation.

7️⃣ Push to Remote Repository

• Command: git push origin master/main/branch
• What It Does: Uploads commits from your local repo to the remote (GitHub/GitLab).
• Security Tip: Avoid pushing to protected branches without PR reviews; enable branch protection rules.

8️⃣ Fetch & Merge Remote Changes

• Commands: git fetch or git merge origin/main
• Alternative: git pull
• Purpose: Updates your local code with upstream changes.
• Security Tip: Review incoming changes for integrity, especially on shared machines.

9️⃣ Fork and Pull Requests

• Fork: Clone someone else’s repo under your account (via GitHub).
• Pull Request (PR): Propose your changes to the original repo.
• Use case: Secure collaboration in open-source or enterprise workflows.
• Security Tip: Always scan forked PRs with static analysis tools and enable review workflows for external contributors.

🔧 Advanced Git Skills for DevOps Engineers

🌿 Branching for Feature Isolation

• Command: git checkout -b feature-login
• Why: Keeps new features separate from production/stable code.
• Security Tip: Lock down long-lived branches from direct writes.

🏷️ Using Tags for Release Management

• Command: git tag v1.0 and git push origin v1.0
• Why: Useful for CI/CD pipeline versioning.
• Security Tip: Enforce signed tags for release integrity.

⚔️ Merge Conflicts Resolution

• Why: Happens when two branches modify the same line(s).
• Security Tip: Always manually validate conflicts, especially in IaC files.

🔁 Rebasing for Clean History

• Command: git rebase main
• Use case: Rewrites your commits to sit on top of another branch.
• Security Tip: Avoid rebasing shared branches to prevent confusion and potential code loss.

🍒 Cherry-Pick Specific Commits

• Command: git cherry-pick <commit-hash>
• Why: Pull just one commit from one branch into another that means apply specific changes without full merges.
• Security Tip: Validate cherry-picked commits for outdated or unverified code.

🔐 What is a Git Hook?

A Git hook is a script that Git automatically executes before or after certain Git events such as commit, push, merge, or rebase. These hooks are located in the .git/hooks directory of every Git repository.

🧠 Why Use Git Hooks?

Git hooks allow you to:

• Enforce standards before code is committed or pushed.
• Automate checks (security, formatting, testing).
• Prevent mistakes like committing secrets or insecure code.

🛡️ Security Perspective of hook in DevSecOps

In the DevSecOps workflow, security should shift left—as early in the development process as possible. Git hooks allow local enforcement of security policies before the code even leaves your machine.

🔐 Key Benefits:

🔐 Setting Up Git Hooks for DevSecOps

Detailed Git Hook setup steps based on DevSecOps context:

✅ 1. Navigate to Git Hook Directory

bash
cd your-project/.git/hooks        

✅ 2. Create a Pre-push Hook File

bash
touch pre-push        

✅ 3. Add Security Scanning Commands

Edit the pre-push file and add:

bash
#!/bin/bash 
echo "🔒 Running DevSecOps checks before push..." 

# Scan file system for vulnerabilities 
trivy fs . 

# Check Infrastructure-as-Code (e.g., Terraform) 
checkov -d . 

# Scan Python source code for security flaws 
bandit -r . 

echo "✅ All security checks passed!"        

✅ 4. Make the Hook Executable

bash
chmod +x pre-push        

✅ 5. Test the Hook

Try a git push — the script should run automatically before pushing your commits.

🛡️ Git Hook Use Case in DevSecOps

Git hooks help you shift security left by:

• Preventing secrets or misconfigurations from being pushed
• Running local scans before triggering CI/CD pipelines
• Catching issues early to reduce downstream vulnerabilities
• Automatically catch an open security group in Terraform via Checkov.
• Detect a vulnerable Python library via Bandit.
• Scan container-related files using Trivy.

Thus, before code reaches the CI/CD pipeline, you’ve already gated it with security.

🚀 Pro Tip for DevSecOps Pipelines

Use pre-commit or pre-push hooks to enforce:

• Secret scans (truffleHog, gitleaks)
• Code formatting (black, prettier)
• Linting (flake8, eslint)
• Unit tests before pushing

💬 Final Thoughts

Git is far more than a version control system—it’s the foundation of collaborative, automated, and secure DevOps workflows. From setting up your first local repository to integrating security checks with Git Hooks, each step of the Git journey plays a vital role in modern DevSecOps.

By embedding security into every phase—from commit to push, pull request to release tagging—you shift security left and reduce risks before they reach production.

Empowering developers with Git skills and security awareness ensures smoother releases, safer applications, and resilient pipelines.

Let Git be your source of truth, and GitHub your engine of collaboration—secured from the very first commit.

📩 Subscribe to DevSecOps Chronicles for deep dives into Git & GitHub workflows, security-first DevOps practices, and practical Git hook implementations — every week, by me, Nur Mohammad.