I saw a somewhat scary story about a backdoor being added to the PHP source code repository. Apparently with an innocuous comment like "fix typo", they committed code to the main repo using the name of a maintainer. The issue was caught by a post commit review, but allowing users to commit to your VCS server while spoofing another is a problem.

I doubt this would happen inside an organization, where authentication and credentials are more controlled, but perhaps that's not the case. If someone got into your network, perhaps with a VPN vulnerability, would they be able to spoof another user and commit something to a git repo? That would be bad.

Maybe more important is having a process to review changes. Lots of organizations prevent commits directly to main without some review. Either automated testing or human review. In the case of security issues, I always worry about automated testing not accounting for the creativity of malicious actors. When someone comes up with a new attack vector, how long before a test is written to check for this?

I don't know about to what extent git itself is vulnerable to security issues. However, if you use any VCS, you ought to ensure that you manage access and credentials and security as carefully as you might manage access to your network. It seems that attacks against source code are on the rise. Perhaps that might be the next, new way that hackers think they can disrupt your business and profit from the problems.

With DevOps, security is a concern, and rapid deployments have a downside that the pace of review and testing can be overwhelming. On the other side, you can patch things quickly, which is what I'd be more concerned about.