Security

Before we dive in, this post was directly inspired by the recent Trivy compromise incident that impacted my workplace and forced me to reassess how exposed we really are to supply chain vulnerabilities. That incident was the wake-up call that pushed me to harden this repository at the source-control and build-pipeline level, not just at runtime. There is this assumption that most developers carry around in the back of their minds. It sounds something like: “I’m just a personal blogger. Nobody is targeting me.” ...

So you were going through commits in your organisation’s repository and saw a little “Verified” badge next to the commit hash. Wondered how their commit got Verified? GitHub certainly doesn’t have a subscription that will give you a “Verified” badge like some other social media platforms. You know the one, I’m talking about. So what does it mean? How do you get that? Let’s explore. What Is Git Commit Signing? Do you remember how you configured Git on your machine? You probably ran a couple of commands like these: ...