avatarTeri Radichel

Summary

Teri Radichel outlines a method for automating code check-ins to GitHub and triggering deployments simultaneously, emphasizing security practices.

Abstract

In a series of articles on automating cybersecurity metrics, Teri Radichel discusses a script for checking in code to GitHub, which can also initiate a deployment. The approach involves writing functions to handle repository creation, code check-ins, and deployments, with a focus on secure credential management. Radichel references her previous work on GitHub security and hints at future integration with identity providers like Okta for multi-factor authentication. The method allows for more control over the deployment process and reduces risk by avoiding the storage of cloud credentials on GitHub.

Opinions

  • The author advocates for a secure and controlled approach to code deployment, preferring it over relying solely on GitHub Actions.
  • Radichel emphasizes the importance of credential security and suggests that her method provides a more secure alternative to storing sensitive information within GitHub.
  • The author acknowledges the potential complexity of the proposed solution but argues that it is justified given the risks associated with deployment pipelines.
  • There is an expressed desire to incorporate multi-factor authentication (MFA) into the deployment process, indicating a commitment to continuous security enhancement.
  • Radichel values the ability to use different sets of credentials and multiple steps to mitigate risks during the deployment process.

A Script For Checking In Code to GitHub

ACM.258 Create a function to check in code that can eventually trigger a deployment at the same time

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: GitHub Security | Application Security | Secure Code

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post I wrote about an alternative approach to GitHub actions and why you might consider using it.

The first step is a script to check in code for a static website. Let’s take a look at that step.

I showed you how I wrote a script to create a new GitHub repository for my static website here:

I wrote a function that creates a new GitHub repository in my GitHub functions file. Then I call it from my static website initial deployment script like this:

Essentially I change to the folder where the GitHub scripts are and call the create_repository function. We can ditch the $basepath variable after simplification in a recent post.

To check in and deploy changes I can take a similar approach. I can write a function for each. I went over all the different mechanisms for handling credentials in a prior GitHub post and incorporated those thoughts into my create_repository function. I’ll use that same approach for my new functions. Read the related posts here if you want to know more about that.

In the future I may integrate with Okta.

I don’t know if there’ s a way to add MFA to the above approach but I would like to figure that out at some point but at least we can use MFA on the AWS deployment side.

I’ve defined the location for the code as follows and moved this to the top of my functions file, outside of a specific function, because I need it in multiple places now:

I change to the appropriate directory and check to see if the repo exists before creating it.

I’m going to presume the repository exists when checking in code and simply change to the appropriate directory.

Then I can use the git command line to check in the code.

A function to check in code

I can write a function like the following to check in code from a script and call it as shown above.

And test it like this using the repository we’ve been working with:

That works.

Automatically deploy when checking in code

Now let’s say I want to check in and deploy the code at the same time. I can write a check_in_and_deploy function. My new function calls the check_in function and then can proceed with the code to deploy the site from GitHub:

This is basically the same as a GitHub action but the deployment code is not run by the system where the code resides. We don’t have to store our credentials for our cloud environment on GitHub. We don’t have to give access to GitHub to deploy things in our cloud environment. We have more control over the process and can use multiple steps and different sets of credentials to reduce risk.

You may or may not want to go through the trouble of doing this but don’t be surprised the next time a GitHub vulnerability or an improper script allows something rogue to get inserted into your deployment pipeline. There’s no perfect solution, but there are more and less risky solutions.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Github
Actions
Deploy
Code
Security
Recommended from ReadMedium
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarOliver Lövström
Pre-commit for Python

Getting started with Pre-commit and Pre-commit linter configuration for new Python developers.

3 min read
avatarALMAS
GitHub Actions: An In-depth Guide for Beginners In 2024

Actions Platform?

5 min read
avatarFlavius Dinu
Using ArgoCD & Terraform to Manage Kubernetes Cluster

Seamless deployment and management of your infrastructure and application is key for a successful organization. This is where ArgoCD and…

13 min read
avatarMathesh M
How to Pass the GitHub Actions Exam: Resources I Used to Pass the Exam

Hello Everyone 👋 Yesterday, I passed my GitHub Actions Exam. In this blog, I will share about GitHub Exams, GitHub Actions exam, The…

3 min read
avatarAbhay Parashar
17 Mindblowing Python Automation Scripts I Use Everyday

Scripts That Increased My Productivity and Performance

14 min read