QP01 Version Control Practices
What this means
SiteShadow flagged signals that version control practices may be missing or discouraged (no git history/lock-in, code shared outside VCS, or workflows that bypass review/traceability).
Why it matters
Without version control, auditing, rollback, and review are difficult.
- No reliable rollback during incidents.
- Harder to audit changes that introduced vulnerabilities.
- Weaker review discipline and higher chance of unsafe changes landing unnoticed.
Safer examples
1) Use git (or equivalent) for all code and configs
Include application code, infrastructure-as-code, and security config in version control.
2) Require PRs for changes
Use protected branches and require reviews for mainline merges.
3) Tag releases and maintain change history
Releases + changelogs make incident response and rollback much faster.
How SiteShadow detects it (high level)
- Looks for repository signals like missing VCS metadata, missing CI hooks, and patterns that indicate "changes land without traceability".
- Flags when critical config/code appears unmanaged or not reviewed.
References
- OWASP Top 10: https://owasp.org/Top10/
---