All posts

16 posts · CI/CD

Multi-stage Docker builds that cut image size by 80%Split build tooling from the runtime so your final image ships only the binary and its deps — smaller, faster, safer.Jun 24, 2026 · 9 minIntermediatedockerimagesScanning container images with Trivy in GitLab CIWire Trivy into your pipeline, fail builds on criticals without blocking every merge, and cache the vuln DB so scans stay under 30 seconds.May 26, 2026 · 9 minIntermediatetrivygitlabSpeed up GitHub Actions with dependency cachingCache node_modules, pip wheels, and Go modules keyed on your lockfile hash, and warm the cache on main to cut minutes off every GitHub Actions run.May 12, 2026 · 6 minBeginnergithub-actionscacheDistroless container images: shipping without a shellShip images with no package manager, no shell, and almost no attack surface — and still debug when you need to.Apr 2, 2026 · 10 minAdvanceddockerdistrolessSAST in CI with Semgrep and custom rulesAdd fast static analysis to your pipeline and write project-specific rules that catch your own recurring bugs.Jan 28, 2026 · 9 minIntermediatesemgrepsastGitLab review apps: a fresh environment per merge requestSpin up an ephemeral deploy for every merge request and tear it down on merge — review real changes, not screenshots.Nov 12, 2025 · 10 minIntermediategitlabreview-appsStop leaking secrets in CI logs: masking and OIDCMask variables, avoid echoing secrets, and move to short-lived OIDC tokens so a leaked log isn't a breach.Aug 27, 2025 · 9 minIntermediatecisecretsCI dependency scanning: pip-audit, npm audit, fail fastLockfile scanners like pip-audit and npm audit are free and fast — the hard part is a CI failure policy strict enough to matter that your team keeps on.Jun 12, 2025 · 7 minBeginnerpip-auditnpmAttesting builds with SLSA provenance in CIGenerate an SBOM and signed SLSA provenance for every build, attach them with cosign, and prove exactly where an artifact came from when auditors ask.Jun 3, 2025 · 11 minAdvancedslsasbomDockerfile layer caching: order matters more than you thinkOrder your instructions so dependency layers stay cached and only your code layer rebuilds — seconds, not minutes.Apr 8, 2025 · 6 minBeginnerdockercacheDRY GitHub Actions with reusable workflowsExtract shared build-and-scan steps into a reusable workflow and call it from every repo with inputs and secrets.Jan 14, 2025 · 8 minIntermediategithub-actionsreuseGenerate an SBOM for any container image with SyftProduce a complete software bill of materials in SPDX or CycloneDX and feed it to Grype for fast CVE triage.Nov 5, 2024 · 8 minIntermediatesyftsbomBlue-green and canary deploys from your pipelineShip with zero downtime and instant rollback by shifting traffic between versions instead of replacing in place.Oct 22, 2024 · 11 minAdvanceddeploycanaryHEALTHCHECK and graceful shutdown in containersTell the orchestrator when your container is actually healthy, and handle SIGTERM so deploys don't drop requests.Aug 27, 2024 · 8 minIntermediatedockerhealthcheckHardening self-hosted GitLab runnersIsolate jobs, scope CI tokens, and pin executors so one poisoned pipeline can't pivot into your whole GitLab runner fleet or leak another team's secrets.Aug 13, 2024 · 10 minAdvancedgitlabrunnersDocker Compose in production: the parts that biteRestart policies, health-gated dependencies, resource caps, and secrets — what to fix before Compose meets real traffic.Jul 2, 2024 · 9 minIntermediatedockercompose