Posted 29th of September, 2022

Securing the CI/CD pipeline - The good stuff

Securing the CI/CD pipeline - The good stuff

This is the introduction to a weekly blog series that will run over the next few months written by myself and Mike de Libero. It is hopefully different from other blogs you may read with similar titles because we aren’t repeating the basics that have already been written elsewhere. We will link to what we think are the best basics articles but Instead we are focused on two types of things, ‘gotchas’ and ‘pro tips’. That is the good stuff. 

  • Gotchas are snippets of information no one really tells you about but will trip you up, like when you realise your SCA tool was scanning an NPM lock file but your build server runs ‘npm clean-install’ each time and so your SCA findings are hot garbage. 
  • Pro tips are snippets of information on how to minimise your input and maximise your output. For instance avoiding security issue shock when first setting up tools or configuring expensive and slow SAST checks to only run on merge to main.

It’s a big topic with a lot of moving parts, so we have split the series into logical sections. I am going to point out what should be obvious that this is far from a prescriptive guide and far from complete. It's our favourite gotchas and pro tips. 

Any examples assume a standard Github based reference architecture that is typical of many companies' development tool chains. We have chosen what we think are the “best in class” open source tools. As with anything software there are thousands of permutations like developers using localstack, cloud developer environments like Github codespaces,hermetic package managers like Bazel and the list goes on. 

It goes without saying we can't possibly cover everything and so we hope you share your knowledge in the comments or link to the article from your own content. 

This series of posts is focused on two types of things, ‘gotchas’ and ‘pro tips’. That is the good stuff.