Security - Ken Muse

Configuring GitHub Runners With a Dotfiles Action

Fri, 23 Jan 2026 00:00:00 -0500

Transform your dotfiles repo into a GitHub Action that secures runners without tokens or manual cloning.

Masking Sensitive Information on GitHub Runner Custom Images

Mon, 22 Dec 2025 00:00:00 -0500

Learn the best way to protect sensitive information from leaking into the logs on GitHub runner custom images during both build-time and run-time.

Using GitHub Custom Images with OIDC

Fri, 19 Dec 2025 00:00:00 -0500

Learn how to use OIDC tokens in GitHub Actions custom images to authenticate with private container registries without storing credentials.

Layering Approaches for Secure Secrets

Fri, 12 Dec 2025 00:00:00 -0500

Learn to layer secret management techniques through practical examples that build defense-in-depth security for GitHub Actions, containers, and more.

More Ways to Secure Secrets

Wed, 10 Dec 2025 00:00:00 -0500

Move beyond static credentials with federated auth, managed identities, and secret vaults -- learn the tradeoffs and security considerations.

Securing Access to Secrets

Mon, 08 Dec 2025 00:00:00 -0500

Explore practical approaches to storing secrets securely, from files to HSMs, with real-world hardening strategies you can implement today.

Custom GitHub Runner Images With Pre- and Post-Job Scripts

Fri, 05 Dec 2025 00:00:00 -0500

Learn how to capture custom GitHub-hosted runner images, add pre- and post-job hooks, and make them part of your daily workflows.

Using Azure Flexible Federation With GitHub Actions

Tue, 02 Dec 2025 00:00:00 -0500

Use Azure flexible federated identity credentials with GitHub Actions to secure your workflows with custom OIDC claims approval expressions.

How I Avoided Shai-Hulud's Second Coming (Part 2)

Fri, 28 Nov 2025 00:00:00 -0500

How signed commits and repository protections completed my defense against the Shai-Hulud supply chain attack.

How I Avoided Shai-Hulud's Second Coming (Part 1)

Wed, 26 Nov 2025 00:00:00 -0500

Simple security practices that protected my dev environment from the Shai-Hulud supply chain attack -- and how you can use them too.

The Hidden Danger in Git Ref Names

Fri, 31 Oct 2025 00:00:00 -0400

A Halloween lesson: how a weaponized Git branch name let attackers inject code via a GitHub expression and the simple steps you can take to block it.

The Key to a Secure CI/CD Process

Mon, 20 Oct 2025 00:00:00 -0400

Learn how to create a secure CI/CD pipeline by starting with securing your most important asset: your people.

Restricting IP Access on GitHub-Hosted Runners

Thu, 16 Oct 2025 00:00:00 -0400

Restrict outbound DNS and IP access on GitHub-hosted runners using iptables, ip6tables, and DNS-over-HTTPS blocking to harden your CI/CD.

Restricting DNS Access on GitHub-Hosted Runners

Mon, 13 Oct 2025 00:00:00 -0400

Learn how to restrict DNS resolution and improve CI/CD security on GitHub-hosted runners by using a local Unbound allow list.

How to Dynamically Authenticate With Git

Tue, 06 May 2025 00:00:00 -0400

Discover practical techniques for dynamically authenticating with Git using environment variables or secret vaults to retrieve user credentials.

How Does Git Authentication Work?

Sat, 03 May 2025 00:00:00 -0400

Discover the intricacies of Git authentication, how it works, and how to configure credential helpers to allow fine-grained control over authentication.

Retrieving Properties From a Gitsigned Commit

Wed, 16 Apr 2025 00:00:00 -0400

Learn how to extract and validate signed Git commits using the Gitsign certificates and OpenSSL to enhance your software supply chain security.

Using Gitsign for Keyless Git Commit Signing

Sat, 12 Apr 2025 00:00:00 -0400

Use Gitsign and GitHub Actions for keyless Git commit signing to enhance supply chain security and ensure code provenance without managing private keys.

Inside My Home Automation Journey

Tue, 18 Feb 2025 00:00:00 -0500

How we learned to ditch data leaks and embrace local IoT control for ultimate privacy and smarter living.

The Most Dangerous Phrase in Software Development

Sat, 01 Feb 2025 00:00:00 -0500

Discover why "it should work" is software development's most dangerous phrase and how this mindset leads to unreliable, untested code.

Fashion, DevOps, and Certificates

Sat, 20 Apr 2024 00:00:00 -0400

Google has announced an initiative that will change the way certificates are issued, impacting 50% of companies. Are your dev practices up for the challenge?

Automating Azure OIDC Application Federation

Mon, 22 Jan 2024 00:00:00 -0500

I was recently asked if I knew how to automate creating Azure Entra ID (formerly Active Directory) applications. More specifically, they wanted to know if they could use PowerShell to automate creating the OIDC federation between Azure AD and GitHub. To do this, we just need to use a few PowerShell modules that save us the trouble of crafting several REST calls. These modules work with PowerShell 5.x and 7.x.

GitHub Actions Injection Attacks

Thu, 21 Dec 2023 00:00:00 -0500

Security is important, even in your CI/CD processes. Learn the basics of injection exploits with GitHub Actions and how to avoid them.

Understanding OIDC and Identity Federation

Fri, 24 Nov 2023 00:00:00 -0500

Adopting OIDC can be challenging for teams that don't understand how the process works. This post explores OIDC and explains what's happening under the covers.

The Hidden Dangers in Dependencies

Thu, 14 Sep 2023 00:00:00 -0400

When it comes to code, what you don't know can hurt you. Dependencies come with more security considerations than most people realize. Learn to tighten it up!

Understanding Certificate Authorities

Thu, 27 Jul 2023 00:00:00 -0400

Certificates rely need a system of trust, and this starts with certificate authorities (CAs). In this post, we'll explore both CAs and self-signed certificates.

Understanding X.509 Certificates

Thu, 20 Jul 2023 00:00:00 -0400

Despite decades of use, certificates tend to be a mystery to most developers. In today's post, we explore the basics of certificates and take a peak inside.

Preventing GitHub Actions Injection Attacks

Fri, 07 Apr 2023 00:00:00 -0400

Everything coded can be exploited, including GitHub Actions. The powerful expressions syntax can also break your systems. Learn better ways to handle them.

Security Theater - The Illusion of Compliance

Thu, 10 Nov 2022 00:00:00 -0500

Trying to secure code is no easy task. It takes real effort to build a product and keep it secure. As we try to shift left and build security into our applications, we are pushed to learn new ways to meet these goals. One of those ways is to use tools. Unfortunately, the complexities of security make it very easy for companies to offer quick fixes and simple solutions. They offer security theater. If you’re not familiar with the term, security theater is when you create measures that give the illusion of security while doing little or nothing to actually secure anything.