Secure Source Manager overview
Instances and repositories
Secure Source Manager instances are deployed to an available Google Cloudregion and are accessible through their instance URIs. Repositories are createdin the Secure Source Manager instance by using the web interface, or theSecure Source Manager API.
Separate roles and permissions are available for instances and repositories.SeeAccess control with IAM for information on allSecure Source Manager roles and permissions.
Git actions
Repositories support allGit SCM client commands and have built-in pull requests and issue tracking. Both HTTPSand SSH authentication are supported.
For more information on SSH authentication, seeSSH authentication.
To get started using Git source code with Secure Source Manager, seeUse Git SCM.
Issues and pull requests
You can create issues and pull requests in the Secure Source Manager webinterface. You can add reviewers, labels, milestones, assignees, and due dates toyour pull requests. You can open an issue on a specific branch or tag, and addlabels, milestones, and assignees to the issue. For more information on issuesand pull requests, seeWork with issues and pull requests.
Notifications
Secure Source Manager can send you notifications for events in pull requestsand issues in which you're participating or for repositories you're watching.
For more information on notifications, read theNotifications overview or get started with notificationsby following the instructions inSet up notifications.
Developer Connect integration
You can connect Secure Source Manager toDeveloper Connect to unifyrepository connections across Google Cloud services. Connecting toDeveloper Connect lets you use its Git proxy feature for secureaccess to your Secure Source Manager repositories. This enables features likePrivate Google Access forSecure Source Manager repositories, letting you fetch code fromSecure Source Manager without exposing your instance to the public internet.
The Developer Connect Git proxy only supports read operations such asgit clone.git push operations are not supported with Git proxy.
For information on connecting Secure Source Manager toDeveloper Connect, seeConfigure Developer Connect for Secure Source Manager.For more information on using Git proxy, seeConfigure and use Developer Connect proxy.
Connect to other services
You can invoke builds automatically using the following methods:
- Create a Secure Source Managertriggers file to connect toCloud Build.
- UseSecure Source Manager webhooks to connect toJenkins or other services.
For information on connecting to Cloud Build, seeConnect to Cloud Build.
For information on connecting to Jenkins, seeConnect to Jenkins.
Protect branches
When enabled, protected branches block commits based on configurable rules. Youcan configure multiple branch protection rules for different sets of branches.
The following branch protection options are configurable:
- Specify a single branch to apply the branch protection rule to, orapply the branch protection rule to all branches.
- Require pull requests before merging into protected branches.
- Set the required number of reviewers and approvers before a pull request canbe merged into a protected branch.
- Block merging a pull request if new commits are added after approvals aregranted.
- Require comments to be resolved before merging into a protected branch.
- Require a linear Git history.
- Require successful build status checks before merging a pull request into aprotected branch.
For more information on protecting branches in Secure Source Manager, seeBranch protection overview.
Encrypt data
By default, Google Cloud automaticallyencrypts data when it is atrestusing encryption keys managed by Google. If you have specific compliance orregulatory requirements related to the keys that protect your data, you can usecustomer-managed encryption keys (CMEK) for creating a Secure Source Managerinstance.
When you enable CMEK, data at rest in the instance is encrypted using a key thatyou manage within Cloud Key Management Service. You can control access to the CMEK keyusing Identity and Access Management. If you temporarily disable or permanently destroy the CMEKkey, data encrypted with that key cannot be accessed. For more information oncreating Secure Source Manager instances using CMEK, seeCustomer-managed encryption keys.
Security compliance
Secure Source Manager is in compliance with the following certifications:
Configure a private Secure Source Manager instance in a VPC Service Controls perimeter
You can use Secure Source Manager in aVPC Service Controlsperimeter in order to guard against data exfiltration. For more information, seeConfigure Secure Source Manager in a VPC Service Controls perimeter.
What's next
- Enable the Secure Source Manager API.
- Create a Secure Source Manager instance.
- Create and clone a Secure Source Manager repository.
- Read aboutSoftware supply chain security.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.