Ken Muse

You’ve learned about individual secret management techniques, but the real power comes from combining them. In this final post of the series, I’ll show you how to layer multiple approaches to create defense-in-depth security that actually works in practice. Through real-world examples – from GitHub Actions to dev containers – you’ll see how to transform isolated techniques into comprehensive strategies that protect your secrets at every level.

What if you could eliminate static secrets entirely? That’s the promise of modern cloud-native approaches, but they come with their own tradeoffs. In this second post of the series, I’ll take you beyond traditional storage methods to explore federated identities, managed identities, and secret vaults. You’ll learn when each approach makes sense and how to protect yourself from the new attack vectors they introduce.

Every application needs secrets, but keeping them secure while making them available when needed is tricky! In this first post of the series, I’ll walk you through common storage approaches – from simple files to hardware security modules – exploring their strengths, weaknesses, and how to make each one more secure.

GitHub finally let us build custom runner images, and today I’m going to be exploring what that means and how you can use it. I’ll show you how to bake your own images, add pre-job hooks that can setup and validate your environment before your workflow starts, and take advantage of caching to speed up your builds and reduce network egress.

Have you ever wished you could tighten your OIDC integration between Azure and GitHub? Ever wanted to restrict the connection to specific workflows instead of entire repositories? In this post, I’ll explore Azure’s flexible federated identity credentials and how you can use custom expressions to validate OIDC token claims.

In Part 1, I shared how disabling package scripts and using dev containers saved me from Shai-Hulud. But those were just the first two layers. Here’s where things get interesting – I’ll show you how signed commits can catch unauthorized changes before they happen, and how repository protections created a final safety net. These aren’t theoretical security measures. They’re the same practical defenses I use every single day.

When the Shai-Hulud v2 supply chain attack hit last week, I watched thousands of developers scramble to check their systems. Mine? I was able to mark it as safe. This was because I’d already layered in some straightforward security practices. If you’re wondering how to protect your own development environment from these kinds of attacks, I’ll walk you through the exact configurations and tools I use every day that kept me safe.

IPv6 isn’t just coming – it’s here. If you’re managing a network or communicating with the internet, you need to understand how IPv6 affects your infrastructure and deployments. In this post, I will explore the basics of what IPv6 really means, how it works with the DevOps tools you use every day (such as GitHub, Docker containers, and Kubernetes), and how GitHub Actions Runner Controller’s latest update improves support for IPv6.

A creepy real-world branch name showed how a single Git ref can execute code in your Actions workflow and poison releases. See how the trick works, why it succeeded, and the quick fixes that turn a weaponized ref back into harmless text.

Many companies and teams focus on technical security solutions that lock down development and innovation to avoid risk. To protect their systems, they often end up making it harder for developers to do their jobs (and less secure in the process). What if I told you there was a better way? If you start with people and process first, you can create a secure CI/CD pipeline that balances safety and speed.