Security is at the heart of what we do in DevOps (if we’re doing it right). This includes protecting our CI/CD processes from malicious users and behaviors. One of the more interesting exploit vectors with build and release pipelines is a classic: the injection attack. This post reviews the basics of injection exploits and shows you how to easily avoid them.

With the rise of OIDC, we no longer need to rely on secret keys or passwords to connect two services together. Instead, we can configure a trust relationship between the services and use that to securely request tokens for accessing resources. Adopting this approach can simplify things, but it can be scary for security teams and developers; they want to understand what makes this process work. In this post, walk through what’s happening under the covers.

I like having my SSH commit signing automatically configured. In a previous article, I discussed how you can do this using your dotfiles repository. If you want to add support for reading the SSH keys from 1Password, then there are just a few more things you need to know.

With automation you can simplify many things as a developer. This includes automating the process of configuring commit signing with dotfiles.

What you don’t know can hurt you, especially when it comes to code. Dependency chains can tend to have more security considerations than most people realize. In fact, most dependencies have far more abilities than most developers realize …

For certificates to work, we need a system of trust. We need to know that each certificate is valid and was properly issued. This is the role of the certificate authorities (CAs). In the second part of this series, we’ll explore the role of CAs and how certificates are validated. We’ll also look at creating a private CA using a self-signed certificate.

Despite decades of use, certificates tend to be a mystery to most developers. At their root, they are largely more than a collection of name-value pairs and a public key. The majority of people that work with certificates regularly often run into situations where they need to understand the details of how they work. In this post, we’ll dive into the basics and learn what’s in these files.

GitHub Actions Workflows can provide a great abstraction layer for creating or orchestrating build and release processes. Since we’re running code – in some cases, from third-parties – it’s important to understand how to secure the environment from malicious Actions. This is where permissions can help.

If you can code it, someone will find a way to exploit it ( accidentally or intentionally). Anytime development efforts are involved, it’s important to minimize security risks and bugs. This is also true with GitHub Actions, which allows you to script advanced automation solutions. Because of this, it’s important to understand where injection can occur and how to avoid it.

GitHub has a lot of options for verified domains. Have you ever wondered what they all do, when to use them, and how they help keep your brand secure? Then today’s topic is for you!