kb/security
Git and GitHub security on the account and the repo: two-factor authentication, Dependabot for security alerts and dependency updates, code scanning with CodeQL, secret scanning to catch keys committed by accident, and commits signed with GPG or SSH so others can verify them.
A file in the repo root listing ignore patterns: what Git should skip entirely. Do not confuse it with staging. It has no effect on already-tracked files. It is your primary defense against accidentally committing secrets and junk.
The modern replacement for the deprecated `git filter-branch`. Rewrites history in place: removes files, changes author emails, replaces strings. Use it to remove secrets or large binaries that landed in the repo.
Git commits can be signed with a GPG key (or an SSH key starting with Git 2.34). A signature cryptographically proves that the signer had access to the private key at the time of the commit. The link between "key" and "specific person" comes from key verification (web of trust in OpenPGP, confirmation through a GitHub account, etc.), not from Git itself. Git does not verify who you are.
Scan your repo regularly for accidentally committed secrets (API keys, passwords, tokens). The main tools: gitleaks, detect-secrets, trufflehog. The best time to catch them is before the commit, with a pre-commit hook. After an exposure, key rotation is non-negotiable. History cleanup is optional.