Skip to main content

Exclude unverifiable files


Binary and other types of files, which are often not audited for security purposes, should not be stored in the source code repository.


Binary files usually have a file size greater than their source counterpart, which can eventually affect a repository's performance. Changes done to them are often hard to track for versioning tools or make no sense for a reviewer. Furthermore, security audits on binary files are more complicated or simply not performed, and these could contain serious vulnerabilities such as backdoors, rootkits and exposed sensitive information.


  • Image files.


  • CWE-510: Trapdoor: A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism.

  • OWASP-ASVS v4.0.1 V10.2 Malicious Code Search.(10.2.3): Verify that the application source code and third party libraries do not contain backdoors, such as hard-coded or additional undocumented accounts or keys, code obfuscation, undocumented binary blobs, rootkits or anti-debugging, insecure debugging features, or otherwise out of date, insecure, or hidden functionality that could be used maliciously if discovered.