They should setup monitoring (email/slack) for commits and merges to the prod/main/master not their working branch is what I meant. But yes, even for random branches, setup a pipeline that will notify you after whatever tests/checks.
Assume it is only a matter of time before at least one dev's machine or git creds/keys are compromised. This way, it serves as a layer of defense to notify you of unauthorized modifications which could be subtle enough to make it past any review or qa.
Signing commits seems like a pointless mess to me. Being able to use a better git hash function and then using signed tags could be an improvement. Using a Fido key for both ssh and 2FA is also a great security improvement.
5 comments
[ 2.8 ms ] story [ 22.9 ms ] threadAt the very least I was hoping they would explain how for
> Use pre-commit hooks to scan for secrets and other code risks before they get into code.
and
> Automate your security.
Good idea. How?
To answer the title. In the past I've used Owasp Zap to scan dev.
Assume it is only a matter of time before at least one dev's machine or git creds/keys are compromised. This way, it serves as a layer of defense to notify you of unauthorized modifications which could be subtle enough to make it past any review or qa.