NDSS 2025 – Rethinking Trust In Forge-Based Git Security

Git’s dominance in software development makes its underlying infrastructure a prime target for supply‑chain attacks. Traditional forges such as GitHub, GitLab, and Bitbucket act as de‑facto trusted third parties, yet they lack an open protocol to prove repository integrity. This opacity creates a single point of failure: if a forge is compromised, attackers can inject malicious code without detection. The gittuf framework addresses this gap by introducing a decentralized trust model that distributes policy responsibilities across all contributors, eliminating the need for a monolithic arbiter.

At the core of gittuf is a cryptographic policy engine that allows developers to declare, manage, and enforce security rules locally. Each push is signed and verified against collective policies, ensuring that unauthorized branch, tag, or commit modifications are rejected before they enter the codebase. The system’s design also logs repository activity in a tamper‑evident ledger, preventing any single entity from rewriting history. Real‑world testing on massive repositories like Git and Kubernetes shows that gittuf adds less than 4% additional storage and verifies pushes in under 0.59 seconds, demonstrating that robust security need not sacrifice performance.

The broader implications for the industry are significant. By removing the reliance on centralized forges, organizations can build more resilient DevOps pipelines that withstand insider threats and external breaches. Adoption of decentralized Git security could become a new baseline for compliance frameworks, especially in regulated sectors where software provenance is critical. As supply‑chain attacks continue to rise, tools like gittuf provide a pragmatic path toward trustworthy, verifiable code delivery without overhauling existing workflows.