GitOps Security
What is GitOps Security?
GitOps SecuritySecurity practices for GitOps workflows, where the declarative desired state of infrastructure and applications is stored in Git and reconciled into production by an automated controller.
GitOps relies on Git as the single source of truth and uses tools like Argo CD or Flux to continuously reconcile clusters with that state. This shifts security focus to the Git repository, identity of committers, pull-request controls, and the GitOps controller itself. Key practices include branch protection, signed commits and tags, CODEOWNERS, mandatory reviews, secret-free repositories (Sealed Secrets, External Secrets, SOPS, Vault integrations), policy-as-code (OPA Gatekeeper, Kyverno), image signature verification (Cosign), restricted controller permissions, and audit-log shipping. GitOps Security also requires preventing the controller from running unreviewed manifests, malicious Helm charts, or unsigned container images. Misconfigurations let attackers escalate from a single PR merge to full cluster compromise.
● Examples
- 01
Argo CD configured to only reconcile from a signed, protected main branch with Cosign image verification.
- 02
Sealed Secrets used so encrypted manifests can sit safely in Git.
● Frequently asked questions
What is GitOps Security?
Security practices for GitOps workflows, where the declarative desired state of infrastructure and applications is stored in Git and reconciled into production by an automated controller. It belongs to the Application Security category of cybersecurity.
What does GitOps Security mean?
Security practices for GitOps workflows, where the declarative desired state of infrastructure and applications is stored in Git and reconciled into production by an automated controller.
How does GitOps Security work?
GitOps relies on Git as the single source of truth and uses tools like Argo CD or Flux to continuously reconcile clusters with that state. This shifts security focus to the Git repository, identity of committers, pull-request controls, and the GitOps controller itself. Key practices include branch protection, signed commits and tags, CODEOWNERS, mandatory reviews, secret-free repositories (Sealed Secrets, External Secrets, SOPS, Vault integrations), policy-as-code (OPA Gatekeeper, Kyverno), image signature verification (Cosign), restricted controller permissions, and audit-log shipping. GitOps Security also requires preventing the controller from running unreviewed manifests, malicious Helm charts, or unsigned container images. Misconfigurations let attackers escalate from a single PR merge to full cluster compromise.
How do you defend against GitOps Security?
Defences for GitOps Security typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for GitOps Security?
Common alternative names include: Secure GitOps.
● Related terms
- appsec№ 166
CI/CD Security
The set of controls protecting continuous integration and continuous delivery pipelines from compromise, code injection, secret leakage, and unauthorized deployments.
- cloud-security№ 600
Kubernetes Security
The protection of a Kubernetes cluster — its API server, control plane, nodes, workloads, and network — from misconfiguration, compromise, and lateral movement.
- appsec№ 1069
Software Supply Chain Security
The discipline of protecting every link of the software production chain - source, dependencies, build, signing, distribution, and deployment - against tampering, malicious code, and integrity loss.
- appsec№ 459
Hardcoded Secrets in Code
Embedding credentials, API keys, tokens, or cryptographic material directly in source code, configuration files, or container images, where they are easily discovered and abused.
- appsec№ 784
Package Signing
Applying a cryptographic signature to a software package so that consumers can verify the publisher's identity and that the artifact has not been altered after release.
- appsec№ 309
DevSecOps
A culture and set of practices that integrates security responsibilities into DevOps workflows so engineers ship secure software continuously and at speed.