5 comments

[ 2.8 ms ] story [ 22.9 ms ] thread
The title doesn't really address the article.

At the very least I was hoping they would explain how for

> Use pre-commit hooks to scan for secrets and other code risks before they get into code.

and

> Automate your security.

Good idea. How?

To answer the title. In the past I've used Owasp Zap to scan dev.

Monitor commits
Are you saying that developers should improve their security by monitoring their own commits?
They should setup monitoring (email/slack) for commits and merges to the prod/main/master not their working branch is what I meant. But yes, even for random branches, setup a pipeline that will notify you after whatever tests/checks.

Assume it is only a matter of time before at least one dev's machine or git creds/keys are compromised. This way, it serves as a layer of defense to notify you of unauthorized modifications which could be subtle enough to make it past any review or qa.

Signing commits seems like a pointless mess to me. Being able to use a better git hash function and then using signed tags could be an improvement. Using a Fido key for both ssh and 2FA is also a great security improvement.