Here's the scenario...
I have a git repository on a server that may have been compromised. My development team say that they can trust the files in the directory that houses the git repository because all commits (diffs) and new files being added to the repository are checked and signed off by the repository 'owner' and any new files would show as new to the local version when a status or pull is made.
However I believe that if a person has compromised the server on which the git repository is housed, there must be some way to add a file to that repository and cover it up so that when a developer does their next pull, the new file doesn't show up in their git status. Is this the case?