# Git Push Monitoring Nightfall monitors the following signals during a Git push operation: * The endpoint where the push originates * The user performing the push * The Git protocol (HTTPS / SSH) * The remote destination URL * The repository name and configured remotes ``` Managed Endpoint with Nightfall agent └── git push ├── Action: Git Push ├── Source: Managed device └── Destination: ├── Approved domain → Allowed └── Non‑approved domain → Exfiltration Event generated ``` A Git Push Monitoring policy evaluates where code is being pushed, not what is being pushed. If the destination does not match your approved Git domains, Nightfall generates an exfiltration event. **Supported Git Destinations** Git Push Monitoring supports: * GitHub Cloud * GitLab Cloud * Bitbucket * Any Git server accessible via HTTPS or SSH **Policy Configuration** 1. **Step 1: Define Approved Git Destinations** Customers define approved Git hosting locations using Domain Collections. Examples: * github.com/my‑company‑org/\* * gitlab.company.com/\* * bitbucket.org/company/\* These domains represent where source code is allowed to be pushed. 2. **Step 2: Configure Git Push Monitoring Policy** Policy Type: Endpoint Exfiltration\ Action: Git Push Destination Condition Options: * Any domain * Domain in approved list * Domain not in approved list (recommended) Recommended Configuration: ``` Action: Git Push For: Domain not in ``` This configuration alerts when developers push code outside approved repositories. **Example Use Cases** 1. **Prevent Personal GitHub Usage** 1. Approved: github.com/company‑org/\* 2. Detected: github.com/john‑doe/test‑repo 2. **Monitor Scratch or Temporary Repositories** 1. Even if the repository is newly created or unnamed, Nightfall detects the push if the destination domain is not approved. 3. **Enforce Corporate GitHub & GitLab Usage** 1. Ensure all production code stays within: 1. Corporate GitHub organizations 2. Internal GitLab instances **Event Details** When a Git push violates policy, Nightfall generates an event with metadata‑only context. **Event Summary Fields** | Field | Description | | --------------- | --------------------------- | | Event Type | Git Push | | Repository | Repository name | | Actor | User performing the push | | Device | Endpoint hostname | | Destination URL | Git remote URL | | Git Remotes | origin, personal, etc. | | Risk | Critical, High, Medium, Low | **Example Scenarios** The following scenarios illustrate the support matrix for this capability. 1. **Push to Approved Repository** 1. Git operation succeeds 2. No alert generated 2. **Push to Non‑Approved Repository** 1. Git operation succeeds (no blocking) 2. Exfiltration event generated 3. **HTTPS and SSH Both Supported** 1. Detection works for both authentication methods 4. **Multiple Remotes Supported** 1. Events reflect the actual remote used for the push 5. **Unmanaged Devices** 1. No detection occurs without an endpoint agent Git Push Monitoring provides organizations with a simple and effective control to: * Detect source code exfiltration * Enforce approved Git destinations * Gain visibility into developer Git activity --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.nightfall.ai/data-exfiltration-prevention/exfiltration_endpoint/policies/trigger/git-push-monitoring.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.