Binary Artifacts Stored in SCM

Binary artifacts, such as compiled executables, libraries, or large media files, should not be stored in source control management (SCM) systems. Instead, use artifact repositories or storage solutions specifically designed for managing binaries.

Examples

Insecure Example

Storing binary files directly in an SCM system, such as:

• .exe, .dll, .jar, .bin, or similar compiled artifacts.
• Large media files, such as .mp4, .iso, or .zip.

Example:

git add mybinaryfile.exe
git commit -m "Add binary file"

Secure Example

Using an artifact repository or storage service like JFrog Artifactory, Nexus, or AWS S3:

1. Upload the binary artifacts to the repository or storage.
2. Reference the artifacts in the SCM using version identifiers or URLs.

Example (using Artifactory):

dependencies:
  - artifact: com.example:myartifact:1.0.0
    repo: artifactory-repo

Mitigation Steps

1. Use .gitignore to exclude binary files from being tracked in SCM:
   

   *.exe
   *.dll
   *.jar
   *.zip
   *.iso
   

2. Adopt an artifact repository or storage solution for managing binaries.
3. Regularly audit SCM repositories for binary files using automated tools.
4. Replace existing binaries in SCM with references to artifact repositories.

Risks of Storing Binary Artifacts in SCM

• Performance Impact: Increases repository size and slows down operations like cloning and fetching.
• Security Risks: Difficult to verify the integrity or source of binaries.
• Lack of Version Control: Binary artifacts are not easily diffable or mergeable.

More information

• GitHub Docs - Ignoring Files
• JFrog Artifactory Overview
• Sonatype Nexus Repository Manager
• AWS S3 - Object Storage