Security - Scrum Bug

Security

A collection of 14 posts

Azure sky with pink cloud. Connecting to "Azure" afterall.

Authenticate Connect-MgGraph using OIDC in GitHub Actions

I'm running a number of maintenance scripts against our Azure EntraId to manage GitHub related things. Removing dormant users, asking users to setup their notification email correctly etc. For a long time, I ran these scripts with an interactive session, before moving them over to GitHub Actions. Recently

(repost) Protect the repository hosting your GitHub Action

GitHub Featured

(repost) Protect the repository hosting your GitHub Action

This post, now 2 years old, is still very valid, especially in light of the changed-files hack recently.

Say goodbye to your Personal Access Tokens

Say goodbye to your Personal Access Tokens

We got rid of all Azure DevOps PAT usage and so should you. 📢 Big shout out to Jesse! Without his blog post and direct help, I was probably still renewing expired PATs manually. But let's start at the beginning.

Scan all workflow artifacts for leaked secrets

Scan all workflow artifacts for leaked secrets

In response to: Major GitHub repos leak access tokens putting code and clouds at riskBuild artifacts generated by GitHub Actions often contain access tokens that can be abused by attackers to push malicious code into projects or compromise cloud infrastructure.CSO OnlineLucian Constantin I've created a quick powershell

The use or uselessness of signed commits

The use or uselessness of signed commits

Each commit you make stores the name and email address you've configured in your git config. But Git doesn't verify whether that's you. You can easily make a commit that uses the email of any famous coder out there in the world, and your Git repo will accept that.

Restrict GitHub branches to specific prefixes

Restrict GitHub branches to specific prefixes

Many people follow some kind of naming format for their branches. Be it because they're using GitHub Flow or Git Flow or because they've created their own meaningful naming patterns.

Protect the repository hosting your GitHub Action

GitHub Actions Featured

Protect the repository hosting your GitHub Action

It comes as no surprise that the tags and branches solution to version GitHub Actions is weak at best. There have been rumors of Actions moving to a different model (GitHub Container Registry), but that is yet to see the light.

Publish Azure DevOps Extensions using Azure Workload Identity

Azure DevOps Featured

Publish Azure DevOps Extensions using Azure Workload Identity

As you may know, I maintain several Azure DevOps Extensions. To publish them I use the Azure DevOps extension tasks. And to authenticate you must provide a Personal Access Token.

Enable RenovateBot for Azure Pipelines

GitHub Featured

Enable RenovateBot for Azure Pipelines

In my report on the Security state of the Azure DevOps Marketplace I came to the unfortunate conclusion that about 40% of the extensions contain vulnerabilities. One of the recommendations for both Azure DevOps administrators and pipeline authors was to keep the Azure Pipelines Tasks up-to-date.

Cow walking through an Indian Marketplace

Azure DevOps Featured

Security state of the Azure DevOps Marketplace

This report focusses on the Azure Pipelines extensions in the Marketplace. At the time of compiling the report there are 1460 extensions in the "Azure Pipelines" category. More than 500 have one or more vulnerabilities or vulnerable dependencies.

Definitive solution for log4shell in Azure DevOps Server Search

Azure DevOps Server 2022

Definitive solution for log4shell in Azure DevOps Server Search

Last year around this time the log4shell bug in log4j was made public. Older versions of Team Foundation Server and Azure DevOps Server ship with Elastic Search to power its advanced search features. The version that ships with these versions is quite old and was never truly fixed, only patched.

What's GitHub's new require approval of the most recent push policy all about?

What's GitHub's new require approval of the most recent push policy all about?

The "require approval of the most recent push" protection rule was recently introduced (oct 2022).

Log4J – A 10 step mitigation plan

Log4J – A 10 step mitigation plan

There is already a lot of attention on the #Log4J vulnerability. It is all over the news while we write this blog. Many customers have asked us what to do. In this blog we give some advice on how to deal with the Log4j vulnerability and similar vulnerabilities in the future.

Azure DevOps 2020 and 2019 (and 2018) patch for log4j vulnerability

Azure DevOps Featured

Azure DevOps 2020 and 2019 (and 2018) patch for log4j vulnerability

Azure DevOps can be configured with advanced Code Search. That feature relies on Elastic Search. Depending on the age of your server, JVM version and Elastic Search version this may result in your setup being vulnerable to CVE-2021-44228.