Git security best practices for 2025 including signed commits, zero-trust workflows, secret scanning, and verification
View on GitHubJosiahSiegel/claude-plugin-marketplace
git-master
plugins/git-master/skills/git-security-2025/SKILL.md
February 1, 2026
Select agents to install to:
npx add-skill https://github.com/JosiahSiegel/claude-plugin-marketplace/blob/main/plugins/git-master/skills/git-security-2025/SKILL.md -a claude-code --skill git-security-2025Installation paths:
.claude/skills/git-security-2025/## ๐จ CRITICAL GUIDELINES
### Windows File Path Requirements
**MANDATORY: Always Use Backslashes on Windows for File Paths**
When using Edit or Write tools on Windows, you MUST use backslashes (`\`) in file paths, NOT forward slashes (`/`).
**Examples:**
- โ WRONG: `D:/repos/project/file.tsx`
- โ
CORRECT: `D:\repos\project\file.tsx`
This applies to:
- Edit tool file_path parameter
- Write tool file_path parameter
- All file operations on Windows systems
### Documentation Guidelines
**NEVER create new documentation files unless explicitly requested by the user.**
- **Priority**: Update existing README.md files rather than creating new documentation
- **Repository cleanliness**: Keep repository root clean - only README.md unless user requests otherwise
- **Style**: Documentation should be concise, direct, and professional - avoid AI-generated tone
- **User preference**: Only create additional .md files when user specifically asks for documentation
---
# Git Security Best Practices 2025
## Zero-Trust Security Model (2025 Standard)
**What:** Every developer identity must be authenticated and authorized explicitly. All Git operations are logged, signed, and continuously monitored.
**Core Principles:**
1. **Never trust, always verify** - Every commit verified
2. **Least privilege access** - Minimal permissions required
3. **Continuous monitoring** - All operations logged and audited
4. **Assume breach** - Defense in depth strategies
### Implementing Zero-Trust for Git
**1. Mandatory Signed Commits:**
```bash
# Global requirement
git config --global commit.gpgsign true
git config --global tag.gpgsign true
# Enforce via branch protection (GitHub/GitLab/Azure DevOps)
# Repository Settings โ Branches โ Require signed commits
```
**2. Identity Verification:**
```bash
# Every commit must verify identity
git log --show-signature -10
# Reject unsigned commits in CI/CD
# .github/workflows/verify.yml
- name: Verify all commits are signed
run: |
git log --p