- Spoofed Commits
By modifying metadata in commits, attackers can easily push their own code to code repositories. For example, by changing the name and email in a commit it is possible to pass as a legitimate user.
Tactic: Defense Evasion
Summary: Spoofed Commits
Implement verification of signed commits
Signing commits, or requiring to sign commits, gives other users confidence about the origin of a specific code change. It ensures that the author of the change is not hidden and is verified by the version control system, thus the change comes from a trusted source. For each repository in use, enforce the branch protection rule of requiring signed commits, and make sure only signed commits are capable of merging.