GIT Detected exposed
Description
A Git version control metadata directory (.git) has been detected on the web server. This directory contains the complete repository history, configuration files, and source code. Git directories should never be present on production servers as they are intended solely for development environments. This exposure typically occurs when code is deployed by copying the entire working directory instead of performing a proper export or build process.
Remediation
Immediately remove all .git directories from production web servers. Follow these steps to remediate and prevent this issue:
Immediate Action:
1. Locate and delete all .git directories from web-accessible locations
2. Review Git history for any committed secrets (passwords, API keys, tokens) and rotate them immediately
Web Server Configuration:
Configure your web server to block access to .git directories as a defense-in-depth measure:
Apache (.htaccess or httpd.conf):
<DirectoryMatch "\.git">
Require all denied
</DirectoryMatch>Nginx (nginx.conf):
location ~ /\.git {
deny all;
return 404;
}IIS (web.config):
<configuration>
<system.webServer>
<security>
<requestFiltering>
<hiddenSegments>
<add segment=".git" />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</configuration>Long-term Prevention:
1. Implement proper deployment processes using CI/CD pipelines that build and export only necessary files
2. Use .gitignore and export commands (git archive) rather than copying working directories
3. Conduct regular security scans to detect accidentally deployed version control directories