feat(lab3): Secure Git — SSH Signing, Pre-commit Gitleaks, and History Hygiene

[RII6]

Goal

Implement critical local DevSecOps controls to address STRIDE-R (Repudiation) risks and protect the supply chain. This PR configures cryptographic SSH commit signing for authorship non-repudiation, deploys an automated preventive pre-commit hook architecture with gitleaks to catch secret leakage, and covers reactive history hygiene using git filter-repo.

Changes

• submissions/lab3.md — Contains native SSH signature configuration, local/remote validation strings, threat mapping reflections, and sandbox rewriting proofs.
• .pre-commit-config.yaml — Configured pre-commit orchestration framework hooking gitleaks (v8.18.2) alongside standard files checks (detect-private-key and check-added-large-files).

Testing

Task 1 — Cryptographic Non-Repudiation (SSH Signing)

• Client configurations verified locally:
  • gpg.format → ssh
  • user.signingkey → /Users/rii/.ssh/id_ed25519.pub
  • commit.gpgsign → true
• Local Signature Verification: Running git log --show-signature -1 successfully outputs a verified cryptographic payload:

  Good "git" signature for namespaces=git with ED25519 key SHA256:W9mgJHshjfQoW5M5bVgtVjKS7dcrHesF7kJ9vssSV58
  Author: RII6 <albert.khechoyan16@gmail.com>
  

• GitHub Remote State: The primary commit f710a7d7b33810226a2cd603b1abff7d6c7825c6 natively evaluates to the green Verified badge.

Task 2 — Preventive Secret Scanning (Gitleaks Hook)

• Pre-commit architecture deployed to .git/hooks/pre-commit.
• Triage Verification: A deliberate commit attempt containing a simulated token inside submissions/leak-attempt.txt was intercepted and safely aborted by the framework:

  Detect hardcoded secrets.................................................Failed
  - hook id: gitleaks
  - RuleID: github-pat
  

• The rogue file was immediately un-staged and entirely purged from local storage.

Bonus Task — Reactive Remediation (History Rewriting via filter-repo)

Executed within a decoupled sandbox environment at /tmp/lab3-bonus to evaluate deep history mutation behavior.

• Before Mutation Sequence:

  3000deb (HEAD -> main) docs: add usage notes
  ecb830e feat: empty log
  ee634b2 feat: add config
  b1ac2cd init
  

  • Direct content analysis query: git log -p | grep -c 'ghp_' → 2
• After Mutation Sequence (Hash Cascade):

  451e894 (HEAD -> main) docs: add usage notes
  74dc0f8 feat: empty log
  4d2a994 feat: add config
  beccefa init
  

  • Integrity evaluation: ghp_ instances dropped to 0; REDACTED instances evaluated to 2.
• Core Triage Concept: Remediating history changes locally fixes repository hygiene, but immediate programmatic credential rotation remains mandatory on the target vendor platform.

Artifacts & Screenshots

• Target Report: submissions/lab3.md
• Hook Assembly: .pre-commit-config.yaml
• Remote State: Verified badge successfully attached to the latest push (f710a7d).

Checklist

• Title adheres to repository convention (feat(lab3): <topic>)
• No plaintext credentials or extraneous metadata items committed
• Compilation artifact present at submissions/lab3.md

---

• Task 1 — SSH signing implemented + remote validation active
• Task 2 — .pre-commit-config.yaml operational + gitleaks blocking verified
• Bonus — git filter-repo sequence documented with before/after cascading state