GitHub Featured (repost) Protect the repository hosting your GitHub Action This post, now 2 years old, is still very valid, especially in light of the changed-files hack recently.
Azure DevOps Say goodbye to your Personal Access Tokens We got rid of all Azure DevOps PAT usage and so should you. 📢 Big shout out to Jesse! Without his blog post and direct help, I was probably still renewing expired PATs manually. But let's start at the beginning.
GitHub Scan all workflow artifacts for leaked secrets In response to: Major GitHub repos leak access tokens putting code and clouds at riskBuild artifacts generated by GitHub Actions often contain access tokens that can be abused by attackers to push malicious code into projects or compromise cloud infrastructure.CSO OnlineLucian Constantin I've created a quick powershell
git Featured The use or uselessness of signed commits Each commit you make stores the name and email address you've configured in your git config. But Git doesn't verify whether that's you. You can easily make a commit that uses the email of any famous coder out there in the world, and your Git repo will accept that.
GitHub Restrict GitHub branches to specific prefixes Many people follow some kind of naming format for their branches. Be it because they're using GitHub Flow or Git Flow or because they've created their own meaningful naming patterns.
GitHub Actions Featured Protect the repository hosting your GitHub Action It comes as no surprise that the tags and branches solution to version GitHub Actions is weak at best. There have been rumors of Actions moving to a different model (GitHub Container Registry), but that is yet to see the light.
Azure DevOps Featured Publish Azure DevOps Extensions using Azure Workload Identity As you may know, I maintain several Azure DevOps Extensions. To publish them I use the Azure DevOps extension tasks. And to authenticate you must provide a Personal Access Token.
GitHub Featured Enable RenovateBot for Azure Pipelines In my report on the Security state of the Azure DevOps Marketplace I came to the unfortunate conclusion that about 40% of the extensions contain vulnerabilities. One of the recommendations for both Azure DevOps administrators and pipeline authors was to keep the Azure Pipelines Tasks up-to-date.
Azure DevOps Featured Security state of the Azure DevOps Marketplace This report focusses on the Azure Pipelines extensions in the Marketplace. At the time of compiling the report there are 1460 extensions in the "Azure Pipelines" category. More than 500 have one or more vulnerabilities or vulnerable dependencies.
Azure DevOps Server 2022 Definitive solution for log4shell in Azure DevOps Server Search Last year around this time the log4shell bug in log4j was made public. Older versions of Team Foundation Server and Azure DevOps Server ship with Elastic Search to power its advanced search features. The version that ships with these versions is quite old and was never truly fixed, only patched.
GitHub What's GitHub's new require approval of the most recent push policy all about? The "require approval of the most recent push" protection rule was recently introduced (oct 2022).
Security Log4J – A 10 step mitigation plan There is already a lot of attention on the #Log4J vulnerability. It is all over the news while we write this blog. Many customers have asked us what to do. In this blog we give some advice on how to deal with the Log4j vulnerability and similar vulnerabilities in the future.
Azure DevOps Featured Azure DevOps 2020 and 2019 (and 2018) patch for log4j vulnerability Azure DevOps can be configured with advanced Code Search. That feature relies on Elastic Search. Depending on the age of your server, JVM version and Elastic Search version this may result in your setup being vulnerable to CVE-2021-44228.