Skip to content

Binary Artifacts Stored in SCM

Checks for binary / executable artifacts (ex. *.jar, *.class, *.so, etc.) stored in the Git repository. Generally, such binary artifacts should not be committed to Git and should be built with reproducible build system from source.

The reason why this is a bad practice and security concern is that it makes it harder to be confident of what gets used when the application runs. Binary artifacts are opaque when compared to plain text source code, which can be audited and it's easy to keep track of changes and enforce code review in Pull Requests.