Security

This hardening effort was directly triggered by the recent Trivy supply chain compromise, which impacted some repositories in my workplace and prompted a full review of my own repository controls. If you want the incident and response details, these two links are worth reading first: Incident analysis: Trivy Compromised a Second Time (StepSecurity) Official disclosure and remediation guidance: Aqua Security discussion #10425 This post is an updated, end-to-end view of the hardening work I applied to this repository. ...

I was hardening this blog’s GitHub repository as part of a security series — adding CodeQL static analysis, Dependabot, and secret scanning. Everything went smoothly until I tried to run CodeQL in a workflow against my personal, private repository. The workflow ran. The analysis completed. And then it failed with this: Warning: This run of the CodeQL Action does not have permission to access the CodeQL Action API endpoints. Code scanning is not enabled for this repository. The repository settings showed Code Scanning as available. The workflow had security-events: write. The YAML was valid. The workflow was not running from a fork. Nothing obvious was wrong. ...

So you were going through commits in your organisation’s repository and saw a little “Verified” badge next to the commit hash. Wondered how their commit got Verified? GitHub certainly doesn’t have a subscription that will give you a “Verified” badge like some other social media platforms. You know the one, I’m talking about. So what does it mean? How do you get that? Let’s explore. What Is Git Commit Signing? Do you remember how you configured Git on your machine? You probably ran a couple of commands like these: ...