GitBark : A Rule-Based Framework for Maintaining Integrity in Source Code Repositories

Abstract: In today’s digital landscape, maintaining the integrity of source code is crucial for delivering reliable and trustworthy software solutions. However, the increasing prevalence of attacks targeting source code repositories and version control systems (VCSs) poses significant challenges to source code integrity. Unauthorized access to source code repositories can lead to various security risks, including the introduction of malicious code or unauthorized approvals for pull requests. Security measures implemented on the remote server hosting the repository are typically insufficient to detect these types of attacks, resulting in changes potentially remaining undetected and becoming part of the deployed artifact. To address those issues, this study proposes GitBark, a framework that employs cryptographic methods to verify the integrity of a source code repository. GitBark achieves this by enforcing rules and policies on the commits made to the repository. Specifically, the study demonstrates that by formulating rules that utilize digital signatures, GitBark can effectively identify unauthorized changes and approvals. Moreover, GitBark prioritizes maintaining the local repository in a consistent and trustworthy state, reducing reliance on the remote server. Even if changes violating established rules are introduced to the remote repository, GitBark prevents their integration into the local repository. Consequently, users of GitBark can have confidence that their local repository remains a consistent and trustworthy version of the source code, without needing to place full trust on a remote server. An evaluation of GitBark, along with the devised rules, demonstrates its effectiveness in mitigating the threats identified in this study. Additionally, in terms of performance, GitBark incurs a modest overhead, both in time and storage.