QP01 Version Control Practices
What this means
SiteShadow flagged signals that version control practices may be missing or discouraged (no git history/lock-in, code shared outside VCS, or workflows that bypass review/traceability).
Why it matters
Without version control, auditing, rollback, and review are difficult.
- No reliable rollback during incidents.
- Harder to audit changes that introduced vulnerabilities.
- Weaker review discipline and higher chance of unsafe changes landing unnoticed.
Safer examples
1) Use git (or equivalent) for all code and configs
Include application code, infrastructure-as-code, and security config in version control.
2) Require PRs for changes
Use protected branches and require reviews for mainline merges.
3) Tag releases and maintain change history
Releases + changelogs make incident response and rollback much faster.
How SiteShadow detects it (high level)
- Looks for repository signals like missing VCS metadata, missing CI hooks, and patterns that indicate "changes land without traceability".
- Flags when critical config/code appears unmanaged or not reviewed.
References
- OWASP Top 10: https://owasp.org/Top10/
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.