Unsigned commit

ID

unsigned_commit

Severity

high

Resource

Branch

Description

Detects whether a pushed commit is unsigned.

It’s possible to configure git with any name and email, enabling bad actors to spoof commits and impersonate whomever they want.

By signing git commits, the author of the commit can be verified, allowing the organization to trust the authorship of the changes.

Impact

An unsigned commit can have a wide range of negative impact on an organization. Here are some examples:

  • Security Breach: The commit may introduce security vulnerabilities into an organization’s codebase. Malicious actors may exploit these vulnerabilities to gain unauthorized access to the organization’s systems, steal sensitive data, or cause other types of harm.

  • Compliance Issues: The commit may violate regulatory or compliance requirements, so it may expose the organization to legal liabilities, fines, or other penalties.

  • Operational Disruptions: The commit may cause unexpected errors, crashes, or downtime in the organization’s systems, disrupting business operations and causing financial losses.

  • Reputational Damage: If the commit results in a high-profile security breach or operational disruption, it may damage the organization’s reputation and erode customer trust.

  • Delayed Detection of Issues: Because the commit was not subject to the usual review and testing processes, issues such as bugs or performance problems may go unnoticed until they cause significant problems in production.

Supported Technologies

This detector is supported by the following sensors:

GitHub Actions    GitHub Sensor