/spoof-check

An example of how to prevent spoofed commits from being merged

Primary LanguageRuby

Validate A GitHub Pusher

Create A Server

Use the server example as a guide on how to validate the JSON payload on Push events.

# validate all commits are from the pusher
def validate(payload)
  # read all committer emails
  committers = payload.commits.map{ |c| c.author.email }.uniq

  # validate all commits are from the pusher
  if committers.count > 1
    {:failure => "Includes commits from #{committers.count} committers"}
  elsif !committers.include?(payload.pusher.email)
    {:failure => "Committer doesn't match pusher"}
  else
    {:success => "All commits match pusher"}
  end
end

Add the validation to your CI server or any stand-alone webserver that responds to GitHub's WebHook events.

Validate the WebHook Payload

The JSON Payload will contain the Git Author and the Git Commiter for each files modified. These values come from the .gitconfig on the user's computer.

The payload also contains the Pusher's Info who is the authenticated GitHub user that has pushed up the code.

Configure the WebHook

Create a Webhook and watch for the Push Event. This event is triggered when you push from the command-line or commit a change through the Web UI.

Protect the Master Branch

To prevent merges until identity checks are passed, enable Protected Branches and Required Status Checks, then have your CI server run checks against the JSON payload delivered from the Webhook.