A significantly complex Github repo with CI, complex permissions, Git hooks all over, is pretty much its own software system that you have to manage, just like server management via Ansible or what-have-you.
Github does a great job at implementing sane defaults but I understand the author's point - there can be a lot to do and you usually don't know you're even supposed to worry about this until way later when security auditors file like 9001 reports about your repo settings.
Thanks for understanding. Security engineering is growing so complex. I don't know how major corps on the scale of Boeing ever achieve compliance. And even then, they have a whole market of different compliance standards to comply with.
> I don't know how major corps on the scale of Boeing ever achieve compliance.
Boring, repetitive software development processes that prioritizes closing potential holes vs. speed of development. When you stop to think about it, explains quite a bit of why big companies are so slow to release?
> I don't know how major corps on the scale of Boeing ever achieve compliance.
It's not that hard. They just remove all of your agency as a user. You can push commits, open branches & pull requests, and merge if 2 people approve it. And that's it.
Want to merge? Restricted. Make a new repo? Restricted. Use a GitHub Action? Restricted. CODEOWNERS? Restricted. Branch filters? Restricted. Forks? Restricted. Releases, packages, artifacts, security, insights, settings, webhooks, environments, pages, wiki, issues? Restricted. Access a repo you aren't a member of? Restricted. Protected tags, dependency graph, dependabot, code scanning, secret scanning, deploy keys, secrets, github apps, oauth, notifications? Restricted. Stars? Restricted. And your SSO token expires every hour.
When working on open source software and collaborating via public GitHub, you can almost forget that git is a distributed version control system.
But in the restricted corporate setups you describe, git's distributed nature shines.
They can lock down internal GitHub as much as they want to, but that won't keep you from making local commits, or exchanging commits directly with your coworkers while developing.
You know, the thing you need if you're stuck in 2000's eea deployments. Or the thing you need if you're deploying VMs. Or the thing you need if you're deploying containers. "You know*, the thing you need if you give a shit about your product.
Oh wait, what, you're running a live service, connected to public internet? And you somehow think "lol gotcha rust updates are a thing" is an own? Once again, y'all keep tattling on yourselves!! While acting so smug, I (really don't) need some of that ignorant confidence! *Please!!!!* Feel free to link us to your running live services that you apparently can't run CI/CD for. Its totes fine, right?
I wouldnt be surprised if it wasnt more about discoverability.
Lotsa folks are tired to play The Google SEO Game and thus just give up on hosting their own content.
> A crap link is one that's only superficially interesting. Stories on HN don't have to be about hacking, because good hackers aren't only interested in hacking, but they do have to be deeply interesting.
I'd say this link violates the rules. It says absolutely nothing new, it is shallow, has a popup.
GitHub does a pretty good job requiring oauth or ssh key authentication, and the new finely-grained personal access are awesome, I just switched all my apps to use more locked down PATs.
The far you reach from GitHub's ecosystem, that's where most of the vulnerabilities are.
Repo-specific deploy keys, read-only keys and branch protection are my "pro" security hardening steps.
Shoving all secrets in ENV isn't a clear improvement either. Sure, most CI services attempt to mask them, but it's trivially to extract the secrets. For GitHub, you have to approve incoming first-time PRs, but it's a huge vector someone determined can exploit.
26 comments
[ 5.7 ms ] story [ 87.0 ms ] threadKind of a rabbithole of energy!
Github does a great job at implementing sane defaults but I understand the author's point - there can be a lot to do and you usually don't know you're even supposed to worry about this until way later when security auditors file like 9001 reports about your repo settings.
Phew.
Boring, repetitive software development processes that prioritizes closing potential holes vs. speed of development. When you stop to think about it, explains quite a bit of why big companies are so slow to release?
It's not that hard. They just remove all of your agency as a user. You can push commits, open branches & pull requests, and merge if 2 people approve it. And that's it.
Want to merge? Restricted. Make a new repo? Restricted. Use a GitHub Action? Restricted. CODEOWNERS? Restricted. Branch filters? Restricted. Forks? Restricted. Releases, packages, artifacts, security, insights, settings, webhooks, environments, pages, wiki, issues? Restricted. Access a repo you aren't a member of? Restricted. Protected tags, dependency graph, dependabot, code scanning, secret scanning, deploy keys, secrets, github apps, oauth, notifications? Restricted. Stars? Restricted. And your SSO token expires every hour.
Can't get hacked if you can't do any work!
But in the restricted corporate setups you describe, git's distributed nature shines.
They can lock down internal GitHub as much as they want to, but that won't keep you from making local commits, or exchanging commits directly with your coworkers while developing.
https://registry.terraform.io/providers/integrations/github/...
It'd be nicer if you managed to focus on the part of the Git/GitHub story: though, as a rant, it's perfectly fine :)
Doesn't really seem like "a ton of work".
You could set up trivy.dev scanning as part of your CI pipeline. Patch until your builds are green again :)
Doesn't seem something worthy of investing my time into.
You know, the thing you need if you're stuck in 2000's eea deployments. Or the thing you need if you're deploying VMs. Or the thing you need if you're deploying containers. "You know*, the thing you need if you give a shit about your product.
Oh wait, what, you're running a live service, connected to public internet? And you somehow think "lol gotcha rust updates are a thing" is an own? Once again, y'all keep tattling on yourselves!! While acting so smug, I (really don't) need some of that ignorant confidence! *Please!!!!* Feel free to link us to your running live services that you apparently can't run CI/CD for. Its totes fine, right?
* https://app.stepsecurity.io/securerepo * https://app.stepsecurity.io/
It also helps to go through the GitHub options to lock things down. Also, configure Dependabot to update "github-actions"
No affiliation. Just a happy user.
Complete with the living modal upsell popup ala Medium. Will people ever learn? (No, no they won't)
Too much work to set up their own little blog, I guess.
I guess we should be happy that at least aren't articles published as tweets.
I'd say this link violates the rules. It says absolutely nothing new, it is shallow, has a popup.
The far you reach from GitHub's ecosystem, that's where most of the vulnerabilities are.
Repo-specific deploy keys, read-only keys and branch protection are my "pro" security hardening steps.
Shoving all secrets in ENV isn't a clear improvement either. Sure, most CI services attempt to mask them, but it's trivially to extract the secrets. For GitHub, you have to approve incoming first-time PRs, but it's a huge vector someone determined can exploit.