By modifying metadata in commits, attackers can easily push their own code to code repositories. For example, by changing the name and email in a commit it is possible to pass as a legitimate user.
ID:T0195
Type:Technique
Tactic:Defense Evasion
Summary:Spoofed Commits
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1731
Mitigation
Mitigation Implement verification of signed commits Signing commits, or requiring to sign commits, gives other users confidence about the origin of a specific code change.
It ensures that the author of the change is not hidden and is verified by the version control system, thus the change comes from a trusted source. For each repository in use, enforce the branch protection rule of requiring signed commits, and make sure only signed commits are capable of merging.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
