Critical-risk tools in Git
7 of the 44 tools in Git are classified as critical risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at critical risk
-
git_branchesDestructiveBranch tool. Use action=list|create|delete|rename|checkout|set_upstream|recent for branch workflows.
-
git_commitsDestructiveCommit-area tool. Use action=add|restore|commit|reset|revert|undo|nuke|wip|unstage|amend.
-
git_delete_branchDestructiveDelete a local branch.
-
git_resetDestructiveReset HEAD/index/worktree by mode. Hard reset requires confirm=true.
-
git_stashDestructiveSave, list, apply, pop, or drop stash entries.
-
git_tagDestructiveList, create, or delete tags. Supports GPG/SSH signed tags.
-
git_worktreeDestructiveAdd, list, or remove worktrees.
Attacks that target this class
Critical-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.