A creepy real-world branch name showed how a single Git ref can execute code in your Actions workflow and poison releases. See how the trick works, why it succeeded, and the quick fixes that turn a weaponized ref back into harmless text.
Many companies and teams focus on technical security solutions that lock down development and innovation to avoid risk. To protect their systems, they often end up making it harder for developers to do their jobs (and less secure in the process). What if I told you there was a better way? If you start with people and process first, you can create a secure CI/CD pipeline that balances safety and speed.
Securing DNS isn’t necessarily enough to protect your CI/CD environments. An application can connect directly to an IP or talk to an outside DNS service. In this post you’ll learn use iptables and ip6tables to restrict outbound DNS and block common DNS-over-HTTPS providers on GitHub-hosted runners.
Lately I’ve seen people spin up self-hosted runners just to lock down network egress. That creates maintenance overhead – and your time is valuable. You may not realize this, but you can restrict outbound domains while still using GitHub-hosted runners. In this post you’ll learn how to use a local Unbound allowlist so only approved domains resolve.
Need to authenticate with different Git repositories using various credentials? This post explores how to dynamically authenticate with Git using credential helpers, environment variables, and secret management systems.
Ever wondered how Git actually authenticates with remote repositories? Ever needed to configure different credentials to access different repositories? This article dives into the inner workings of Git authentication, exploring the role of credential helpers, how they are implemented, and how to customize them for your needs.
So many times, teams use “it should work” as the reason why their software or processes don’t require
testing. For example, the code is so simple, it should work. Or, the code was tested on Linux, so it should work on Windows. In reality, this can be dangerous at best … and fatal at worst.
GitHub Advanced Security (GHAS) helps teams to shift left and secure their development practices. But what do you do when its process its processes and practices doesn’t quite fit your team’s approach? In this post, we’ll look at how to use GitHub Probot to implement your own process in a GitHub-native way.
Do you know what the main threat is to your CI/CD systems? It’s not the code you write, the tools you use, or the cloud provider you rely on. It’s the supply chain, and that is frequently the most vulnerable part of the development process. Today, let’s understand why.
