Security - Scrum Bug

Security

A collection of 8 posts

Protect the repository hosting your GitHub Action

GitHub Actions Featured

Protect the repository hosting your GitHub Action

It comes as no surprise that the tags and branches solution to version GitHub Actions is weak at best. There have been rumors of Actions moving to a different model (GitHub Container Registry), but that is yet to see the light.

Publish Azure DevOps Extensions using Azure Workload Identity

Azure DevOps Featured

Publish Azure DevOps Extensions using Azure Workload Identity

As you may know, I maintain several Azure DevOps Extensions. To publish them I use the Azure DevOps extension tasks. And to authenticate you must provide a Personal Access Token.

Enable RenovateBot for Azure Pipelines

GitHub Featured

Enable RenovateBot for Azure Pipelines

In my report on the Security state of the Azure DevOps Marketplace I came to the unfortunate conclusion that about 40% of the extensions contain vulnerabilities. One of the recommendations for both Azure DevOps administrators and pipeline authors was to keep the Azure Pipelines Tasks up-to-date.

Cow walking through an Indian Marketplace

Azure DevOps Featured

Security state of the Azure DevOps Marketplace

This report focusses on the Azure Pipelines extensions in the Marketplace. At the time of compiling the report there are 1460 extensions in the "Azure Pipelines" category. More than 500 have one or more vulnerabilities or vulnerable dependencies.

Definitive solution for log4shell in Azure DevOps Server Search

Azure DevOps Server 2022

Definitive solution for log4shell in Azure DevOps Server Search

Last year around this time the log4shell bug in log4j was made public. Older versions of Team Foundation Server and Azure DevOps Server ship with Elastic Search to power its advanced search features. The version that ships with these versions is quite old and was never truly fixed, only patched.

What's GitHub's new require approval of the most recent push policy all about?

What's GitHub's new require approval of the most recent push policy all about?

The "require approval of the most recent push" protection rule was recently introduced (oct 2022).

Log4J – A 10 step mitigation plan

Log4J – A 10 step mitigation plan

There is already a lot of attention on the #Log4J vulnerability. It is all over the news while we write this blog. Many customers have asked us what to do. In this blog we give some advice on how to deal with the Log4j vulnerability and similar vulnerabilities in the future.

Azure DevOps 2020 and 2019 (and 2018) patch for log4j vulnerability

Azure DevOps Featured

Azure DevOps 2020 and 2019 (and 2018) patch for log4j vulnerability

Azure DevOps can be configured with advanced Code Search. That feature relies on Elastic Search. Depending on the age of your server, JVM version and Elastic Search version this may result in your setup being vulnerable to CVE-2021-44228.