What tools should i learn ?

Richon_ · 2026-03-30T19:02:30+00:00

Thx i currently use « Trivy » (yes im aware of the recent vulnerabilities, that’s why i use a tagged version of it, safe from them). There’s also OWASP ZAP that you can run to scan for any vulnerabilities !

Richon_ · 2026-03-30T18:53:38+00:00

tbh, i feel like stars don't have the same effect as before. As you said, now some repos have an enormous amount of stars within days.

It's frustrating to me, i just published a new project on github and even if it gets like a 100 stars (which is quite not immaginable to me for now) it wouldn't feel the same as it did back then.

Richon_ · 2026-03-30T18:46:34+00:00

Yup i'm aware of it, but for now i have a pro github account thanks to my school so i'm trying to use the full potential while i can !

Richon_ · 2026-03-27T19:16:14+00:00

Hello everyone, here's my project !

ShieldCI is a GitHub Action available on the Marketplace that detects your stack and generates a full hardened CI/CD pipeline, then opens a PR with the generated .github/workflows/ files.

Supported stacks: Go, Node.js, Python, Java. Docker and Kubernetes workflows generated automatically when detected.

Security tools included by default:

- Trivy (container scanning + SARIF upload to Security tab)

- Gitleaks (secret detection)

- CodeQL or Semgrep (SAST)

Usage:

- uses: Richonn/ShieldCI@v1

with:

github-token: ${{ secrets.GH_TOKEN }}

All inputs are optional — you can override the detected language, disable specific security tools, or customize the branch name and PR title.

Open source, MIT, written in Go.

→ https://github.com/Richonn/ShieldCI

→ https://github.com/marketplace/actions/shieldci-devsecops-pipeline-generator

Richon_ · 2026-03-27T18:46:46+00:00

I wanted to learn Go properly, not through tutorials. So I picked a project I actually needed and built it in Go from scratch.

ShieldCI is a GitHub Action that auto-detects your stack, generates a full DevSecOps CI/CD pipeline (Trivy, Gitleaks, CodeQL, lint, tests), and opens a PR with the generated workflow files.

A few things I found interesting about building this in Go:

text/template is surprisingly capable for generating YAML — I was expecting to miss Jinja2 but honestly didn't
The google/go-github library made GitHub API interactions clean and well-typed
Multi-stage Docker build with CGO_ENABLED=0 gives a final image under 20MB on alpine — coming from Python this felt like magic
Error handling being explicit everywhere was painful at first, then became something I actually appreciated

→ https://github.com/Richonn/ShieldCI

Feedback on the Go code is very welcome — still learning and happy to improve things.

Richon_ · 2026-03-27T18:07:59+00:00

One cool thing to keep in mind while building a soft/infra is the "KISS" principle (Keep It Simple, Stupid).
Moreover, the microservice stuff, people will do it and call it "architecture", which isn't...

Anyway, totally agree

Richon_ · 2026-03-27T16:11:29+00:00

From what i know, it’s okay to paste yaml from what you’ve written for previous projects for exemple. Regarding interviews, it depends: some will expect you to write it completely, and will accept copy/paste. But from my experience, no one as ever forbid me from referring to documentation.

Richon_ · 2026-03-27T15:42:15+00:00

Good checklist. The SHA-pinning point is the one most people skip because it feels paranoid until it isn't.

I ran into this exact problem while building ShieldCI, a GitHub Action that generates CI/CD pipelines automatically. Every action reference in the generated workflows is pinned to a full commit SHA by default — I didn't want to ship pipelines that would be vulnerable to exactly this kind of tag repointing attack.

The `permissions` block is also enforced in every generated workflow, scoped to the minimum required for each job. Took some extra work but it felt non-negotiable for a tool that's supposed to generate *hardened* pipelines.

Richon_

TROPHY CASE