Spicy Takes 🌶️🌶️🌶️ on RSA 2023
on security
I was recently at RSA for the first time. I have some spicy takes from the week.
Using GitHub Copilot Effectively
on development
GitHub Copilot is an AI pair programmer that can dramatically increase developer productivity. However, it is still a tool - and developers must learn how to frame Copilot’s capabilities in order to make the best use of it.
Allowing Bypass of Secret Scanning Push Detections is a Good Thing
on security
Secret Scanning Push Protection allows you to block pushes that contain secrets. These blocks can by bypassed, which may be surprising. However, allowing bypasses is actually a good thing!
Fine Tuning CodeQL Scans using Query Filters
CodeQL is a fantastic Static Analysis Scanning Tool (SAST). It can be enabled quickly using Actions, but it can be hard to figure out how to fine-tune which queries are run. In this post I’ll cover using Query Filters to fine-tune your CodeQL scans.
Shift Left - How far is too far?
on security
We’ve all heard the mantra to “shift left” - mainly for testing but also for security. Security scanning earlier (lefter 😸) in the process makes sense, but can you shift left too far?
Using OIDC with Terraform in GitHub Actions
I’ve posted before about how to authenticate to Azure in GitHub Actions using OIDC. It should follow that Terraform templates would be easy to use - but there are some gotchas.
GHAS Will Win the AppSec Wars
GitHub Advanced Security is positioned to win the “AppSec Wars”. In this post I go over why I think this is the case.
Runners, Runners - Everywhere!
on build, deployment
Hosted runners for Actions are great - but there are some scenarios where you’ll need self-hosted runners, such as deploying to private networks. But how can you effectively manage your self-hosted runners? In this post I’ll cover some thoughts.
Consuming Environment Secrets in Reusable Workflows
on build, deployment
One canonical use of reusable workflows is a reusable deployment job. While this is definitely possible with reusable workflows, it’s not easy to get it working. In this post I’ll show you how to do it.
Displaying Help for Custom CodeQL Queries
on security
The latest release of CodeQL CLI now includes the ability to display help files for custom queries. In this post I walk through how to get your custom help files to display.
