CodeQL is a fantastic Static Analysis Scanning Tool (SAST). It can be enabled quickly using Actions, but it can be hard to figure out how to fine-tune which queries are run. In this post I’ll cover using Query Filters to fine-tune your CodeQL scans.
We’ve all heard the mantra to “shift left” - mainly for testing but also for security. Security scanning earlier (lefter 😸) in the process makes sense, but can you shift left too far?
I’ve posted before about how to authenticate to Azure in GitHub Actions using OIDC. It should follow that Terraform templates would be easy to use - but there are some gotchas.
GitHub Advanced Security is positioned to win the “AppSec Wars”. In this post I go over why I think this is the case.
Hosted runners for Actions are great - but there are some scenarios where you’ll need self-hosted runners, such as deploying to private networks. But how can you effectively manage your self-hosted runners? In this post I’ll cover some thoughts.
One canonical use of reusable workflows is a reusable deployment job. While this is definitely possible with reusable workflows, it’s not easy to get it working. In this post I’ll show you how to do it.
The latest release of CodeQL CLI now includes the ability to display help files for custom queries. In this post I walk through how to get your custom help files to display.
Authenticating to Azure in GitHub Actions requires a secret for a Service Principal. However, at Universe, GitHub released a new OIDC-based authentication mechanism that eliminates the need for secrets in secure deployments.
Reusable workflows are great, but how do you ensure that teams are using your reusable workflows? In this post I show how you can structure repos, teams and environments to ensure standardization for your workflows.
Code security is becoming more important for modern software development. What about code quality metrics? How do code quality metrics and code security compare and contrast? I’ll discuss some thoughts in this post.
