Security - Ken Muse

Pinning VS Code Extensions to Fight Supply Chain Attacks

Thu, 30 Apr 2026 00:00:00 -0400

Pin VS Code extension versions in dev containers to prevent supply chain attacks. Treat extension updates like dependency upgrades -- deliberate and reviewed.

Rootless Docker and Its Hidden Security Trade-Offs

Thu, 23 Apr 2026 00:00:00 -0400

Explore how rootless Docker uses user namespaces, why kernel developers have concerns about the attack surface, and what unconfined flags really disable.

How Docker Uses Root Privileges

Thu, 16 Apr 2026 00:00:00 -0400

Trace how Docker's daemon, socket, image builds, and BuildKit all rely on root-level Linux kernel privileges.

Building Container Isolation From the Linux Kernel Up

Thu, 09 Apr 2026 00:00:00 -0400

Build container isolation from scratch with Linux namespaces and cgroups to understand the kernel features Docker uses.

GitHub Agentic Workflows Bring AI Agents to Actions

Fri, 13 Feb 2026 00:00:00 -0500

Explore GitHub's new Agentic Workflows -- AI coding agents in GitHub Actions with defense-in-depth security and natural language automation.

Configuring GitHub Runners With a Dotfiles Action

Fri, 23 Jan 2026 00:00:00 -0500

Transform your dotfiles repo into a GitHub Action that secures runners without tokens or manual cloning.

Masking Sensitive Information on GitHub Runner Custom Images

Mon, 22 Dec 2025 00:00:00 -0500

Learn the best way to protect sensitive information from leaking into the logs on GitHub runner custom images during both build-time and run-time.

Using GitHub Custom Images with OIDC

Fri, 19 Dec 2025 00:00:00 -0500

Learn how to use OIDC tokens in GitHub Actions custom images to authenticate with private container registries without storing credentials.

Layering Approaches for Secure Secrets

Fri, 12 Dec 2025 00:00:00 -0500

Learn to layer secret management techniques through practical examples that build defense-in-depth security for GitHub Actions, containers, and more.

More Ways to Secure Secrets

Wed, 10 Dec 2025 00:00:00 -0500

Move beyond static credentials with federated auth, managed identities, and secret vaults -- learn the tradeoffs and security considerations.

Securing Access to Secrets

Mon, 08 Dec 2025 00:00:00 -0500

Explore practical approaches to storing secrets securely, from files to HSMs, with real-world hardening strategies you can implement today.

Custom GitHub Runner Images With Pre- and Post-Job Scripts

Fri, 05 Dec 2025 00:00:00 -0500

Learn how to capture custom GitHub-hosted runner images, add pre- and post-job hooks, and make them part of your daily workflows.

Using Azure Flexible Federation With GitHub Actions

Tue, 02 Dec 2025 00:00:00 -0500

Use Azure flexible federated identity credentials with GitHub Actions to secure your workflows with custom OIDC claims approval expressions.

How I Avoided Shai-Hulud's Second Coming (Part 2)

Fri, 28 Nov 2025 00:00:00 -0500

How signed commits and repository protections completed my defense against the Shai-Hulud supply chain attack.

How I Avoided Shai-Hulud's Second Coming (Part 1)

Wed, 26 Nov 2025 00:00:00 -0500

Simple security practices that protected my dev environment from the Shai-Hulud supply chain attack -- and how you can use them too.

The Hidden Danger in Git Ref Names

Fri, 31 Oct 2025 00:00:00 -0400

A Halloween lesson: how a weaponized Git branch name let attackers inject code via a GitHub expression and the simple steps you can take to block it.

The Key to a Secure CI/CD Process

Mon, 20 Oct 2025 00:00:00 -0400

Learn how to create a secure CI/CD pipeline by starting with securing your most important asset: your people.

Restricting IP Access on GitHub-Hosted Runners

Thu, 16 Oct 2025 00:00:00 -0400

Restrict outbound DNS and IP access on GitHub-hosted runners using iptables, ip6tables, and DNS-over-HTTPS blocking to harden your CI/CD.

Restricting DNS Access on GitHub-Hosted Runners

Mon, 13 Oct 2025 00:00:00 -0400

Learn how to restrict DNS resolution and improve CI/CD security on GitHub-hosted runners by using a local Unbound allow list.

How to Dynamically Authenticate With Git

Tue, 06 May 2025 00:00:00 -0400

Discover practical techniques for dynamically authenticating with Git using environment variables or secret vaults to retrieve user credentials.

How Does Git Authentication Work?

Sat, 03 May 2025 00:00:00 -0400

Discover the intricacies of Git authentication, how it works, and how to configure credential helpers to allow fine-grained control over authentication.

Inside My Home Automation Journey

Tue, 18 Feb 2025 00:00:00 -0500

How we learned to ditch data leaks and embrace local IoT control for ultimate privacy and smarter living.

The Most Dangerous Phrase in Software Development

Sat, 01 Feb 2025 00:00:00 -0500

Discover why "it should work" is software development's most dangerous phrase and how this mindset leads to unreliable, untested code.

Implementing Processes for GHAS using GitHub Probot

Fri, 16 Aug 2024 00:00:00 -0400

GitHub Advanced Security helps teams to shift left and secure their development. When its processes don't quite fit the team's approach, it's time for Probot!

Supply Chain Security in CI/CD Systems

Thu, 02 May 2024 00:00:00 -0400

Your supply chain is frequently the most vulnerable part of your development process. In this post, we'll explore how you can protect your CI/CD systems.

Fashion, DevOps, and Certificates

Sat, 20 Apr 2024 00:00:00 -0400

Google has announced an initiative that will change the way certificates are issued, impacting 50% of companies. Are your dev practices up for the challenge?

Automating Azure OIDC Application Federation

Mon, 22 Jan 2024 00:00:00 -0500

I was recently asked if I knew how to automate creating Azure Entra ID (formerly Active Directory) applications. More specifically, they wanted to know if they could use PowerShell to automate creating the OIDC federation between Azure AD and GitHub. To do this, we just need to use a few PowerShell modules that save us the trouble of crafting several REST calls. These modules work with PowerShell 5.x and 7.x.

GitHub Actions Injection Attacks

Thu, 21 Dec 2023 00:00:00 -0500

Security is important, even in your CI/CD processes. Learn the basics of injection exploits with GitHub Actions and how to avoid them.

Understanding OIDC and Identity Federation

Fri, 24 Nov 2023 00:00:00 -0500

Adopting OIDC can be challenging for teams that don't understand how the process works. This post explores OIDC and explains what's happening under the covers.

Automatic SSH Commit Signing With 1Password

Fri, 10 Nov 2023 00:00:00 -0500

Learn how to automate SSH commit signing with 1Password and dotfiles to enable others to verify the authenticity of your Git commits.

Automatic SSH Commit Signing With Dotfiles

Thu, 19 Oct 2023 00:00:00 -0400

I previously talked about how dotfiles can improve the development experience. By automating the processing of setting up your environment, you are free to focus on more important things. One of the more mundane tasks for developers is setting up commit signing and verification. By doing this, others can verify that you are the author of a specific commit. It just requires some setup, especially if you want automatic support in your dev containers. For these examples, I’m going to use SSH-based commit signing. It’s a common approach, and it doesn’t require sharing a private key between environments.

The Hidden Dangers in Dependencies

Thu, 14 Sep 2023 00:00:00 -0400

When it comes to code, what you don't know can hurt you. Dependencies come with more security considerations than most people realize. Learn to tighten it up!

Understanding Certificate Authorities

Thu, 27 Jul 2023 00:00:00 -0400

Certificates rely need a system of trust, and this starts with certificate authorities (CAs). In this post, we'll explore both CAs and self-signed certificates.

Understanding X.509 Certificates

Thu, 20 Jul 2023 00:00:00 -0400

Despite decades of use, certificates tend to be a mystery to most developers. In today's post, we explore the basics of certificates and take a peak inside.

GitHub Actions Workflow Permissions

Thu, 08 Jun 2023 00:00:00 -0400

GitHub Actions provide powerful workflow support but rely on trusting third-party code. Learn how to secure your GitHub Actions workflows using permissions.

Preventing GitHub Actions Injection Attacks

Fri, 07 Apr 2023 00:00:00 -0400

Everything coded can be exploited, including GitHub Actions. The powerful expressions syntax can also break your systems. Learn better ways to handle them.

What Are GitHub Verified Domains?

Thu, 12 Jan 2023 00:00:00 -0500

GitHub has a lot of options for verified domains. Have you ever wondered what they all do, when to use them, and how they help keep your brand secure?

Using Git SSH From Docker With a Local Proxy

Thu, 22 Dec 2022 00:00:00 -0500

Learn the dev container trick for accessing a host port to create a proxy SSH connection to a Git server.

SSH and Multiple Git Credentials

Thu, 15 Dec 2022 00:00:00 -0500

Learn a trick for using SSH to connect to multiple GitHub environments and Git hosts with minimal effort.

Security Theater - The Illusion of Compliance

Thu, 10 Nov 2022 00:00:00 -0500

Trying to secure code is no easy task. It takes real effort to build a product and keep it secure. As we try to shift left and build security into our applications, we are pushed to learn new ways to meet these goals. One of those ways is to use tools. Unfortunately, the complexities of security make it very easy for companies to offer quick fixes and simple solutions. They offer security theater. If you’re not familiar with the term, security theater is when you create measures that give the illusion of security while doing little or nothing to actually secure anything.

Comparing GitHub Commit Signing Options

Fri, 07 Oct 2022 00:00:00 -0400

I recently had an interesting discussion where we tried to explore some of the ways you can sign commits in Git and GitHub. If you’re not familiar with the functionality, Git provides mechanisms for signing commits and tags to ensure authorship. By default, Git trusts that the user name and email that you provide to git config is legitimate. For many organizations, that may be perfectly acceptable. If only limited people have access to the repository, this is often enough.

Notarizing .NET Console Apps for macOS

Thu, 02 Jun 2022 00:00:00 -0400

Learn how to create and notarize macOS universal binaries for .NET console applications.