Hello. I am Hirakiba from Cybozu Inc.'s Productivity Improvement Team.

Our Productivity Improvement Team holds an internal meeting every Wednesday called "Productivity Weekly," where we share tips and news discovered during the week related to improving developer productivity.
This article is a compilation of the topics from that meeting.

This is the 87th issue. Past articles can be found here.

news 📺

New for Trivy: CSPM Identifies Misconfigurations of Your AWS Services

https://blog.aquasec.com/now-you-can-scan-your-aws-services-for-security-issues-with-trivy

https://dev.classmethod.jp/articles/aws-security-scan-by-trivy/

Starting from v0.31 of the security scanning tool Trivy, you can now scan your AWS account for security issues.

It uses the same authentication methods as the AWS CLI, and you can perform a scan simply by running trivy aws --region <REGION> in an environment where authentication is set up. It is recommended to use a user or role assigned with the ReadOnlyAccess^[1] policy.
It seems to use the same rules as trivy config for scanning IaC configurations (likely these).

Several explanatory articles have already been published.

• Scanning for AWS Security Issues With Trivy | liamg
  • This person seems to be a contributor to Trivy.
• Now you can scan AWS accounts with Trivy | DevelopersIO
  • In the article, they created a Cloud9 environment, but it also worked on CloudShell. If you want to try it quickly, logging in as a user with ReadOnlyAccess and trying it on CloudShell is the easiest way.

I tried it in my personal environment, and it was interesting to see various old, poorly configured custom IAM policies get flagged (I deleted them). Also, I was warned that the Network ACL was allowing all ports, but I figured that I restrict ports at the Security Group level anyway.

The fact that the process to check is so easy is great. Since AWS security can deteriorate without you noticing, I'd like to check it every now and then.

know-how 🎓

Securing Development Environments and CI/CD Pipelines

https://speakerdeck.com/rung/training-devenv-security-ja

These slides explain attacks targeting development environments and CI/CD pipelines, rather than targeting production environments directly, along with their countermeasures and background.

The slides cover changes in development environments, the flow of attacks, what happens when a development environment is compromised, and attacks on and countermeasures for CI/CD pipelines. It also includes several exercises, allowing you to learn through hands-on practice.

While there are many resources explaining attacks on production environments, there are relatively few that focus specifically on development environments. Since manual deployments to production have become less common, how to secure the deployment pipeline in addition to the production environment and applications has been a topic of great personal interest.

I found the sections on what credentials can be stolen if a developer's terminal is compromised and how to protect the CI/CD pipeline particularly informative. It is quite a long read, but I highly recommend it.

Secure Operation and Continuous Monitoring of GitHub Organizations for Developers

https://speakerdeck.com/flatt_security/kai-fa-zhe-falsetamefalse-github-organization-falsean-quan-nayun-yong-to-ji-sok-de-namonitaringu

This slide deck by Flatt Security introduces know-how for operating a GitHub Organization safely.

The slides cover why Organization security is important, perspectives for secure operation, continuous monitoring methods, and introductions to monitoring services.

I didn't know about the monitoring tools and services Allstar or Shisho Cloud. They seem easier than building a monitoring mechanism from scratch. I want to operate our Organization securely.

Let's Try Using Earthly with GitHub Actions

https://zenn.dev/emiksk/articles/ba3b0183c3f895

This article explains how to use Earthly with GitHub Actions. It is a continuation of the previous topic about using Earthly to build a gRPC server.

When running on CI, unlike local execution, you need to consider caching. This article explains the caching features of Earthly and helps you learn which options like --push, --ci, or --remote-cache are best to choose. It also mentions the addition of the --cache-from option, which looks for the cache of a topic branch first and falls back to the main branch's cache if it's not found. This is a welcome feature.

Additionally, the "digression" section mentions Earthly Satellites and Earthly CI, which Earthly plans to provide in the future. It seems they will provide a remote execution environment for Earthly. I'm curious about it.

CI and caching topics are complex, so having an explanatory article like this is very helpful. I hope Earthly catches on!

GraphQL Introduction: Understand GitHub API v4 with Just These Points!

https://zenn.dev/hsaki/articles/github-graphql

This article explains the mechanics and usage of GraphQL for using the GitHub GraphQL API (formerly GitHub API v4^[2]). It is a comprehensive guide covering differences from the REST API, types of operations, how to write queries and mutations, and explanations of variables and types.

Since GraphQL requires specifying fields compared to REST, I personally find it a bit tedious to use and only touch it occasionally. Having an article like this is great for reference whenever I need to use it.

tool 🔨

"PMapper" for Visualizing IAM Privilege Escalation

https://shinobe179.hatenablog.com/entry/2022/08/09/233421

This is an introductory article for PMapper, a tool that analyzes a specified AWS account and visualizes paths where IAM privilege escalation is possible.

The article explains how to run the tool and how to interpret the resulting graphs. It allows you to quickly discover combinations that enable privilege escalation and identify which roles would be particularly dangerous if compromised.

As role relationships become more complex, it can be hard to keep track of the connections, so I'd like to use a tool like this to periodically check the overall picture.

koneta 🍘

This is a section where I briefly mention topics that came up in Productivity Weekly but I didn't have the energy to cover in full.

• news 📺
  • Big Changes Ahead for Deno
    • It seems Deno will soon support importing npm packages directly from npm.
  • Specify theme context for images in Markdown GA | GitHub Changelog
    • You can now select images based on light or dark themes in GitHub Markdown by combining the <picture> tag and prefers-color-scheme.
    • This seems great for OSS projects where images sometimes look jagged in dark mode.
  • Amazon EventBridge supports receiving events from GitHub, Stripe, and Twilio using webhooks
    • EventBridge now supports webhooks from sources like GitHub.
    • This makes you want to start receiving all sorts of webhooks.

Afterword

I've posted this for the first time in about two weeks. I'm sorry for the delay; I haven't had much time to write due to preparing for interns and creating presentation materials. This year, we have some very talented students joining us as interns, and I've been amazed at how impressive students are these days.

The Productivity Improvement Team at Cybozu carries out activities to increase the development productivity of internal engineers. If you're interested in our team, click the link below!
https://note.com/cybozu_dev/n/n1c1b44bf72f6