A significantly complex Github repo with CI, complex permissions, Git hooks all over, is pretty much its own software system that you have to manage, just like server management via Ansible or what-have-you.<p>Github does a great job at implementing sane defaults but I understand the author's point - there can be a lot to do and you usually don't know you're even supposed to worry about this until way later when security auditors file like 9001 reports about your repo settings.
Many of these have nothing to do with Git or GitHub in particular (dependabot, storing live credentials in the codebase...).<p>It'd be nicer if you managed to focus on the part of the Git/GitHub story: though, as a rant, it's perfectly fine :)
> A crap link is one that's only superficially interesting. Stories on HN don't have to be about hacking, because good hackers aren't only interested in hacking, but they do have to be deeply interesting.<p>I'd say this link violates the rules. It says absolutely nothing new, it is shallow, has a popup.
GitHub does a pretty good job requiring oauth or ssh key authentication, and the new finely-grained personal access are awesome, I just switched all my apps to use more locked down PATs.<p>The far you reach from GitHub's ecosystem, that's where most of the vulnerabilities are.<p>Repo-specific deploy keys, read-only keys and branch protection are my "pro" security hardening steps.<p>Shoving all secrets in ENV isn't a clear improvement either. Sure, most CI services attempt to mask them, but it's trivially to extract the secrets. For GitHub, you have to approve incoming first-time PRs, but it's a huge vector someone determined can exploit.
More of a rant than anything. I spend a lot of time doing this and there are so many little things you <i>could</i> harden a little bit.<p>Kind of a rabbithole of energy!
TL;DR turn on signed commits and 2FA, don't commit secrets, and be careful with dependency vulnerabilities.<p>Doesn't really seem like "a ton of work".
I've found StepSecurity's tooling helpful in getting my repos locked down.<p>* <a href="https://app.stepsecurity.io/securerepo" rel="nofollow">https://app.stepsecurity.io/securerepo</a>
* <a href="https://app.stepsecurity.io/" rel="nofollow">https://app.stepsecurity.io/</a><p>It also helps to go through the GitHub options to lock things down. Also, configure Dependabot to update "github-actions"<p>No affiliation. Just a happy user.
Not really. Just another substack think piece.<p>Complete with the living modal upsell popup ala Medium. Will people ever learn? (No, no they won't)