Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. GIT configuration exposure

Author: Government Digital Service

GIT configuration exposure

What this means

Git configuration exposure is a cyber security risk that happens when an attacker identifies the presence of a .git/config directory.

This can lead to the unauthorised access to sensitive source code and Git-related files, such as .git/config, .gitignore, or the entire .git directory, on publicly accessible web servers or repositories.

These files can contain critical information, such as repository configuration, remote repository URLs, or even sensitive data accidentally committed, like API keys or credentials.

Why this is a problem

Unauthorised access to source code can provide attackers the ability to download the complete source code of the repository. This will enable the extraction of proprietary code, scripts, and configuration files which may include intellectual property and sensitive information including:

  • sensitive data exposure – Git repositories often store sensitive information such as API keys, database credentials, and access tokens, which can be exploited by attackers
  • intellectual property risks – proprietary code, algorithms, and other intellectual property can be stolen if an attacker gains access to an exposed Git repository
  • exploitation of security weaknesses – exposed Git commit history can reveal vulnerabilities, configuration errors, or hardcoded secrets that attackers can leverage

How to check if the problem is there

You can check whether Git exposure is an issue in your environment by the following actions:

  • scanning for the vulnerability
  • review web server configuration

Scanning for the vulnerability

Use tools like git-extractor or git-dumper to identify accessible .git directories and retrieve their content.

Employ web vulnerability scanners to identify exposed Git files.

Review web server configuration

Verify that the web server configuration explicitly blocks access to the .git directory.

How to fix this

Configure your web server to block access

Ensure your web server’s configuration explicitly denies public requests to the .git directory and its contents.

Deploy only the necessary files

Use a deployment process that copies only the required application files to your production server, leaving out the entire .git directory and other development-related files. 

Remove the .git directory from the production server

If the directory has already been exposed, the immediate fix is to delete it from the live server.

Use a .gitignore file and secret management

Prevent sensitive information, such as API keys and passwords, from ever being committed to the repository’s history by using a .gitignore file and proper secret management tools.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now