this afternoon, we got email from our pentester. He said that he got some security vulnerability in our project. He found .git/ folder in project directory in production server. He considered it as security vulnerability because user can see all git branch on remote repo. He recommend us to remove that folder but the problem is, we using CI/CD so we need that .git/ folder. My question is it bad practice to use git on production server?

Am I missing something here, why would the .git folder be deployed to the production server? 🤔

All you should be deploying to production is the built artifact which results from your CI pipeline. Eg. The JAR/WAR for a java project or a ready-built bundle for JS etc.
Its fair enough that the pipeline needs git info but your production environment shouldnt.

I don't see a security concern here....

Unless you did dumb things TM.

Git goes over ssh, as long as u never stored the key on the server it's not "unsafe" in my opinion.

And a production environment should be air tight. Even better vacuum.

Nothing except one rescue admin account and the deployment pipeline should have access... Hence why was he even able to run git and see the branches?

Was he able to use a script and check the local filesystem... ?!

@nibor whenever you perform git init or git clone from remote repo git will create .git directory

@BimaAdi Ok then next question, why are you running git commands on your production server? Are you building the app directly from source or something?

@LLAMS We use git to synchronise the code on production server with master branch on gitlab repo. Our app written in PHP using codeigniter 3 framework.

@BimaAdi the answer to your original question, "is it bad practice to use git on a production server?" is yes IMHO. I worked on CI/CD pipelines in several companies, and I've never seen deployment done this way.

It is time to invest in a grown up CI/CD strategy.

@nibor Agreed. Do all the git stuff on your CI server, build the app package and then copy that to your production env. Or automate your env to download the package and set itself up with something like Ansible/Chef/Puppet etc.
The current setup sounds like you just replicated the dev environment in prod which is never a good idea.

Thank you for your suggestions @nibor @LLAMS @molaram. What we do in production server is bad practice. We wil fix that as soon as possible.

@BimaAdi Happy to help. This stuff is not obvious until you know. Im no expert in CI/CD or operations. I learn from looking at what people do who are way better at this stuff than me.