Posts
2024
DevOps and security - Frenemies turned BFFs
This post is a summary of the Universe 2024 Fireside Chat with Brian Rossi from Caterpillar Digital. Continue reading DevOps and security - Frenemies turned BFFs
Why Culture is so important in the Age of AI
GitHub Copilot is proven to improve individual productivity at the task level. However, organizations need to be intentional and systematic in how they scale GitHub Copilot broadly in order to realize organizational benefits. In this post I’ll discuss why culture is so important in the Age of AI. Continue reading Why Culture is so important in the Age of AI
Ingredients for scaling GitHub Copilot
GitHub Copilot is proven to improve individual productivity at the task level. However, organizations need to be intentional and systematic in how they scale GitHub Copilot broadly in order to realize organizational benefits. In this post I’ll discuss some considerations for scaling GitHub Copilot. Continue reading Ingredients for scaling GitHub Copilot
2023
Measuring the impact of Developer Experience and GitHub Copilot
Measuring the impact of Developer Experience and GitHub Copilot is a complex subject. Understanding leading and lagging indicators can help organizations measure the right things, and thus prove out the value of good Developer Experience in general, as well as the impact of GitHub Copilot. Continue reading Measuring the impact of Developer Experience and GitHub Copilot
Who needs GitHub Copilot?
Generative AI? Who needs it? You’re the consummate developer and nothing is beyond your staggering cognitive powers, so why would you need GitHub Copilot - or any copilot for that matter? Continue reading Who needs GitHub Copilot?
Mission Control - and what it means for DevSecOps
Culture, culture, culture - it eats DevSecOps for breakfast! But what sort of culture should organizations build to succeed at DevSecOps? In this post I take a look at Mission Control and what it means for DevSecOps culture. Continue reading Mission Control - and what it means for DevSecOps
Team Autonomy vs Enterprise Alignment
Tooling is an important aspect of DevSecOps - but culture dramatically influences how organization scale. In this post I’ll talk about a key cultural concept: Team Autonomy vs Enterprise Alignment. Continue reading Team Autonomy vs Enterprise Alignment
Spicy Takes 🌶️🌶️🌶️ on RSA 2023
I was recently at RSA for the first time. I have some spicy takes from the week. Continue reading Spicy Takes 🌶️🌶️🌶️ on RSA 2023
Using GitHub Copilot Effectively
GitHub Copilot is an AI pair programmer that can dramatically increase developer productivity. However, it is still a tool - and developers must learn how to frame Copilot’s capabilities in order to make the best use of it. Continue reading Using GitHub Copilot Effectively
Allowing Bypass of Secret Scanning Push Detections is a Good Thing
Secret Scanning Push Protection allows you to block pushes that contain secrets. These blocks can by bypassed, which may be surprising. However, allowing bypasses is actually a good thing! Continue reading Allowing Bypass of Secret Scanning Push Detections is a Good Thing
2022
Fine Tuning CodeQL Scans using Query Filters
CodeQL is a fantastic Static Analysis Scanning Tool (SAST). It can be enabled quickly using Actions, but it can be hard to figure out how to fine-tune which queries are run. In this post I’ll cover using Query Filters to fine-tune your CodeQL scans. Continue reading Fine Tuning CodeQL Scans using Query Filters
Shift Left - How far is too far?
We’ve all heard the mantra to “shift left” - mainly for testing but also for security. Security scanning earlier (lefter 😸) in the process makes sense, but can you shift left too far? Continue reading Shift Left - How far is too far?
Using OIDC with Terraform in GitHub Actions
I’ve posted before about how to authenticate to Azure in GitHub Actions using OIDC. It should follow that Terraform templates would be easy to use - but there are some gotchas. Continue reading Using OIDC with Terraform in GitHub Actions
GHAS Will Win the AppSec Wars
GitHub Advanced Security is positioned to win the “AppSec Wars”. In this post I go over why I think this is the case. Continue reading GHAS Will Win the AppSec Wars
Runners, Runners - Everywhere!
Hosted runners for Actions are great - but there are some scenarios where you’ll need self-hosted runners, such as deploying to private networks. But how can you effectively manage your self-hosted runners? In this post I’ll cover some thoughts. Continue reading Runners, Runners - Everywhere!
2021
Consuming Environment Secrets in Reusable Workflows
One canonical use of reusable workflows is a reusable deployment job. While this is definitely possible with reusable workflows, it’s not easy to get it working. In this post I’ll show you how to do it. Continue reading Consuming Environment Secrets in Reusable Workflows
Displaying Help for Custom CodeQL Queries
The latest release of CodeQL CLI now includes the ability to display help files for custom queries. In this post I walk through how to get your custom help files to display. Continue reading Displaying Help for Custom CodeQL Queries
GitHub Actions: Authenticate to Azure Without a Secret using OIDC
Authenticating to Azure in GitHub Actions requires a secret for a Service Principal. However, at Universe, GitHub released a new OIDC-based authentication mechanism that eliminates the need for secrets in secure deployments. Continue reading GitHub Actions: Authenticate to Azure Without a Secret using OIDC
Enforcing Reusable Workflows for Standardization
Reusable workflows are great, but how do you ensure that teams are using your reusable workflows? In this post I show how you can structure repos, teams and environments to ensure standardization for your workflows. Continue reading Enforcing Reusable Workflows for Standardization
Comparing Code Quality Metrics with Code Security
Code security is becoming more important for modern software development. What about code quality metrics? How do code quality metrics and code security compare and contrast? I’ll discuss some thoughts in this post. Continue reading Comparing Code Quality Metrics with Code Security
On Demand Ephemeral Self-Hosted Runners
Do you need to deploy to private VNets using GitHub Actions, but don’t want to have to keep self-hosted runners running all the time? In this post I show you how you can use Ephemeral Runners to create on-demand self-hosted runners. Continue reading On Demand Ephemeral Self-Hosted Runners
Musings on GitHub Actions Reusable Workflows
Newly released Reusable Workflows allows you to reuse workflows in your GitHub workflows. While this still has some limitations, it’s still better than copy/paste! Continue reading Musings on GitHub Actions Reusable Workflows
Create Azure DevOps Work Item Action
If you’re managing backlogs in Azure Boards but using GitHub Actions for CI/CD, you may have scenarios where you want to create Work Items from an Action. Continue reading Create Azure DevOps Work Item Action
GitHub Composite Actions
Composite Actions now allow you to run other Actions, not just script steps. This is great for composability and maintainability, but there are some limitations that you should be aware of. Continue reading GitHub Composite Actions
Custom CodeQL
CodeQL is a powerful code scanning tool that can be integrated into your pipelines. In this post I show you some basics, as well as how to develop and integrate custom queries into your pipelines. Continue reading Custom CodeQL
Deployment with GitHub Actions: The Bad and the Ugly
GitHub Actions can be used for Continuous Deployment (CD) - but there are some rough edges. In this post I take you through a deep dive and lift the kimono on Actions. Continue reading Deployment with GitHub Actions: The Bad and the Ugly
2020
DevOps Benefits of Limiting WIP
Generally limiting WIP is discussed in the context of work item tracking - but too much WIP has detrimental effects on branching, testing, architecture and technical debt too! Continue reading DevOps Benefits of Limiting WIP
Azure Pipelines for Private AKS Clusters
Creating private AKS clusters is a good step in hardening your Azure Kubernetes clusters. In this post I walk through the steps you’ll need to follow to enable deployment to private AKS clusters. Continue reading Azure Pipelines for Private AKS Clusters
Little's Law Doesn't Work
Little’s Law is well known, but not well understood. Daniel Vacanti has some deep insights into the assumptions that need to be made to make Little’s law “work” for you. Continue reading Little's Law Doesn't Work
az devops cli like a boss
One of the best features of Azure DevOps is the extensive API. However, while having a REST API is great, interacting with a service at HTTP level can be frustrating. In this post, I examine the az devops cli using 10 practical examples. Continue reading az devops cli like a boss
Hosting Code On Premises: GitHub Enterprise with Azure DevOps
Do you want to be on the latest DevOps platforms, but are required to keep source code on premises? In this post I talk about considerations for hosting GitHub Enterprise and Azure DevOps Server on premises. Continue reading Hosting Code On Premises: GitHub Enterprise with Azure DevOps
Azure DevOps Work Item Hierarchy Reports in PowerBI
In this post I show how you can query Work Item data and build hierarchical reports using PowerBI. Continue reading Azure DevOps Work Item Hierarchy Reports in PowerBI
LetsEncrypt Auto-Renewal For Azure Web Apps for Linux
In this post I show how I achieved automated LetsEncrypt cert registration and renewal for Azure Web Apps for Linux using nginx and CertBot. Continue reading LetsEncrypt Auto-Renewal For Azure Web Apps for Linux
ChatOps with GitHub Actions and Azure Web Apps
In this video, I show you how to use GitHub Actions to implement ChatOps with Azure Web Apps. Continue reading ChatOps with GitHub Actions and Azure Web Apps
Azure Pipeline Parameters
In this post I dive into parameters for Azure Pipelines. Continue reading Azure Pipeline Parameters
Executing JMeter Tests in an Azure Pipeline
Visual Studio Load Testing tools have been deprecated, along with Cloud Load Testing. In this post I investigate how to use JMeter as a load testing alternative. Continue reading Executing JMeter Tests in an Azure Pipeline
Azure Pipeline Variables
In this post I take a deep dive into Azure Pipeline variables. Continue reading Azure Pipeline Variables