High-risk tools in Git
8 of the 44 tools in Git are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
git_bisectExecuteRun bisect workflows for bug isolation.
-
git_checkoutExecuteCheckout a branch, tag, or commit; optionally create a new local branch.
-
git_flowExecuteImplements git-flow-next-style workflows directly, without requiring the
-
git_pushExecutePush to remote. Supports safe force (
-
git_rebaseExecuteStart, continue, skip, or abort rebase operations.
-
git_remotesExecuteRemote tool. Use action=list|manage|fetch|pull|push for network/transport operations.
-
git_workflowExecuteRun named multi-step Git workflows with resumable lifecycle controls.
-
git_workspaceExecuteWorkspace tool for stash/rebase/cherry-pick/merge/bisect/tag/worktree/submodule actions plus stash_all shortcut.
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.