Friday, October 15, 2021

DevOps Links for 15/10/2021

New GitHub Releases Public Beta

GitHub releases allows repository maintainers to release versions of their software. It accompanies notes, version of the software, contributors, etc. When I see releases page of some OSS projects, I feel like so many smart people contributed to this release and how much effort goes into writing these. This new version of GitHub Releases will help maintainers with auto-generated release notes, new UI refresh, using GitHub Actions using APIs you can integrate this feature and more. Go check out the preview. You will have to turn on this feature.

GitHub Advisory Database now powers npm audit

As a web developer, you would have come across npm. It is the package manager for your web projects. npm is command line tool which you can use to install, search, remove packages from your projects. npm audit allows you to scan project's dependencies for security vulnerabilities. GitHub Advisory Database stores all the security vulnerabilities and it is maintained by GitHub. With this new update npm audit feature will utilize GitHub Advisory database behind the scenes. Dependabot also uses this database. 

Reuse your workflows across multiple projects using composite actions

In GitHub Actions, you execute different actions to build/release/test your project. When you are working projects that use the same steps over and over again, you may want to build something that is reusable across multiple projects. Just like we extract repeatable code into its own function so it can be reused in multiple places. Composite actions accomplish exactly this but for actions. This post explains how you can create a composite action in one master repository and then use that composite action in multiple projects. It is cool. 

As part of your DevSecOps practices, you want to scan your code assets for known vulnerabilities. That includes your code, internal as well as external dependencies such as libraries, packages, and container images. In this post, I learned of so many things. tfsec is tool to do static analysis of your terraform code (post).  Trivy is tool you can use to scan vulnerabilities in your docker container. Another great post. You can check out the repository for more information.

Tip: You can follow me on twitter to get instant updates whenever I tweet about DevOps

No comments:

Post a Comment