kmx git started as a front-end for git-auth, a simple rule based ACL auth shell on top of git-shell.
Security is our main goal, private repos should not leak and the whole system can be exposed on the web without trouble. I see many gitlab instances behind a VPN and I find this pointless. If your service cannot handle the web its just badly written, right ?
It’s just basic Elixir / Phoenix handing off git tasks to the mainline git binary using Erlang ports. So if you care about security you should also audit git itself.
The main files to check are the controllers in lib/kmxgit_web/controllers and also a few files in lib/kmxgit/
Even admins cannot get access to private source code through the app. They can if they bypass the application if they already have a root shell for instance.
We do not track users or transmit any data to third parties except recaptcha just for login and register.
Please let us know if you find a bug by joining on the Discord or sending us an email.