Main Branch

Fundamentals first, always

Issue #9

šŸ„·šŸ½ Main Branch: The One Where Security Is Free

By Andrea Griffiths ā€¢ Leer en EspaƱol ā€¢ 阅čÆ»äø­ę–‡ē‰ˆ
dependabot codeql security github
Listen to article

Hiya friends,

GitHub shipped five new Dependabot ecosystems in a single week. And most public repos still donā€™t have CodeQL enabled. Letā€™s fix both.

šŸš¢ What Shipped

Dependabotā€™s Big Week

GitHub dropped version update support for Bazel, Julia, OpenTofu, and Conda.

If youā€™re using any of these, Dependabot now watches your back.

Enable it now:

  1. Go to your repo ā†’ Settings ā†’ Security ā†’ Advanced Security
  2. Click ā€œEnableā€ next to Dependabot alerts
  3. Click ā€œEnableā€ next to Dependabot security updates
  4. For version updates, add a .github/dependabot.yml config file to your repo:
version: 2
updates:
  - package-ecosystem: "uv" # or npm, docker, etc.
    directory: "/"
    schedule:
      interval: "weekly" # or "daily", "monthly", etc.

Done. Dependabot will open PRs when updates are available.

CodeQL: The Security Scanner Youā€™re Not Using

CodeQL is free for every public repository. Has been for years. It catches SQL injection, XSS, hardcoded credentials, and dozens of other vulnerabilities before they hit production.

Most repos donā€™t have it enabled. Thatā€™s wild.

Enable it now:

  1. Go to your repo ā†’ Settings ā†’ Security ā†’ Advanced Security
  2. Find ā€œCode scanningā€ ā†’ Click ā€œSet upā€ ā†’ ā€œDefaultā€
  3. Thatā€™s it. Three clicks.

GitHub auto-detects your languages and runs CodeQL on every push and PR. No config file needed. Results show up in the Security tab and as PR annotations.

For private repos, youā€™ll need GitHub Advanced Security. But if your code is public? This is free. Go turn it on.

šŸ“ŗ What Iā€™m watching

Sam Struan on ATS-friendly rĆ©sumĆ©s - ATS (Applicant Tracking Systems) is the software companies use to collect and organize job applications. Thereā€™s a whole cottage industry selling ā€œATS complianceā€ services, but Sam breaks it down in two minutes: itā€™s mostly a scam. The real test is simple. Select all text in your PDF. If your contact info isnā€™t highlightable, it might not parse correctly. Thatā€™s it. No magic.

Worth your time if: youā€™re job hunting or helping someone who is.

āœØ This Week

It was a productive one. Wrapped up the week with Open Source Friday alongside Cassidy, Christina, and Kedasha. We donā€™t usually get to yap together on stream, so that was a treat. (Yes, the sunglasses were necessary.)

When your teammates match your energy!

By the time you read this, Iā€™ll be en route to Seattle for my teamā€™s offsite. If you are local and wanna say hey, please DM.

Thatā€™s it. Two features. Three clicks each. Go secure your repos.

With gratitude, Iā€™ll see you next week,

Andrea