In this video, we’ll show you how Beyond Identity validates code provenance through Git Commit signing.

Get a Demo

Beyond Identity has native integrations with GitHub, GitLab, and BitBucket. Multiple developers are contributing source code to this repo, and all Git commits are signed. Each developer signs their source code with their GPG keys that have been bound to their device using the Beyond Identity Authenticator.

The Beyond Identity verification API is the first check in the CI/CD pipeline. It verifies that the source code was signed by a corporate identity and authorized device. This signature has been verified and passes all of the checks in the CI/CD pipeline.

When developers or malicious attackers try to submit code to the repo without signing it, it’s rejected. Only source code that’s signed by GPG keys that are tied to corporate identity and authorized device with the Beyond Identity Authenticator can be successfully committed.

Developers set up their GPG keys on their device once, then Beyond Identity signs each Git commit in the background for them—there’s no signing ceremony. Private keys are generated on approved devices and cannot be moved or transferred to other devices. What corporate users and devices can enroll is also controlled by policy. Then, developers connect their keys to their Git account.

And that’s it. Developers set it up once, and then Beyond Identity signs each Git commit in the background for them, speeding up software velocity. This ensures code provenance—that what your developers built is what you shipped.