Source Code Disclosure - Git

The web server exposes Git repository metadata files such as .git/config or .git/HEAD, allowing attackers to reconstruct the entire source code repository. This detector identifies when Git version control files are accessible through direct web requests.

Accessible Git metadata allows attackers to download the complete repository history, including deleted files, comments, and commit messages. Attackers can extract hardcoded credentials, API keys, encryption keys, and proprietary algorithms from the source code. Additionally, commit history may reveal security patches, informing attackers about unpatched vulnerabilities in older deployments or related systems.

Ensure that Git metadata files are not deployed to the web server or application server. Configure web server rules to deny access to .git directories, or exclude them entirely from deployment packages. Use proper build processes that export clean code without version control artifacts.