Hi, and welcome to this newsletter. Thanks for signing up and joining me on a journey touching all kinds of software and cloud related subjects!

REST and APIs

I have been working with Azure API Management a lot recently. So my top 3 resources I always refer to:

👉https://learn.microsoft.com/en-us/azure/api-management/api-management-policy-expressions for the syntax and support

👉https://learn.microsoft.com/en-us/azure/api-management/api-management-policies for all the policies available

👉https://github.com/Azure/api-management-policy-snippets/tree/master/examples a list of examples

Using webhooks can be a great solution to push data instead of polling. There are however authentication issue that need to be solved.

Ngrok did a very nice overview of all the different webhook validations by analyzing around 100 webhook providers:

Webhook Security in the Real World — blog.ngrok.com

ngrok is a globally distributed reverse proxy fronting your web services running in any cloud or behind the firewall.

Another interesting solution comes from github to help with webhook development. This solution saves setting up tunnels which (at least with free versions) change their public url every x hours meaning you need to reconfigure endpoints. You can join their beta program to use the GH CLI for local port forwarding:

Webhook forwarding in the GitHub CLI (public beta) | GitHub Changelog — github.blog

Webhook forwarding in the GitHub CLI (public beta)

Coding

Somehow I write more and more shell scripts. Mostly because the Windows Subsystem for Linux is so simple to use, but I also like the power of a shell script. You can use some tools however, like checking your script on common issues:

ShellCheck – shell script analysis tool — www.shellcheck.net

ShellCheck is an open source static analysis tool that automatically finds bugs in your shell scripts.

But do not start from scratch, there are nice templates:

BASH3 Boilerplate – Template for writing better Bash scripts

BASH3 Boilerplate

Shell Script Best Practices

This article is about a few quick thumb rules I use when writing shell scripts that I’ve come to appreciate over the years. Very opinionated.

Debug Azure Functions with timer triggers locally - MindByte

I recently saw a blog post on how to debug Azure Functions which run on something like a timer trigger. As you must wait for the timer to kick off, it is hard to step into your code at the right time. The proposed solution involved setting up a HttpTrigger, which would feed a queue trigger to reach the code eventually…complex, and a lot of additional code is needed. Let alone adding another component in the mix, the queue. There is however a better way…

Some while ago I posted the below tweet; let me know if you share those or have more suggestions!

GitHub

Systems like github actions are more and more illegally used for bitcoin mining. There are safeguards in place, but the attackers use automatic account creation, random VPN connections, solve 2FA phone prompts etc so they can run docker containers.

Sysdig TRT uncovers massive cryptomining operation leveraging GitHub Actions – Sysdig — sysdig.com

Sysdig TRT uncovered an extensive and sophisticated active cryptomining operation using GitHub, Heroku, Buddy.works, and others. We are going to refer to this as PURPLEURCHIN.

Talking about security, my colleague Rob Bos did some interesting work by analyzing the GitHub marketplace and found some scary results:

Analyzing the GitHub marketplace - Dependency security is a big issue

Analyzing the GitHub marketplace - Dependency security is a big issue

Are you already using the excellent GitHub CLI tool called GH? Are you aware that you can also use extensions?

A nice list of those can be found here: https://github.com/kodepandai/awesome-gh-cli-extensions

Do you still remember your first Pull Request on GitHub?

I could not, but you can look it up with this site:

First Pull Request • What was the first pull request you sent on GitHub? — firstpr.me

What was the first pull request you sent on GitHub?

It happens to the best of us; committing a secret. GitHub already had the ability to detect checked-in secrets, but it will now also disallow you to push secrets to GitHub:

Proactively prevent secret leaks with GitHub Advanced Security secret scanning | The GitHub Blog — github.blog

Protect against secret leaks with secret scanning’s new push protection feature.

Computing

A trip down memory lane; remember FrontPage or Visual InterDev? Why do we use port 80? Where does the IMG tag came from?

An interesting look at the history of web tech by @stevensanderson

Interesting highlight by Kong on async culture: "Managers should encourage a written-heavy culture. This usually takes the form of memos, wiki pages and markdown documents. A written culture naturally encourages an async culture.”

Read the full article for more tips and tricks:

Tips for Software Teams that Work from Home — www.devprojournal.com

Managing software company teams that work from home requires new management styles and strategies.

Helpers

Something you just need to upload a picture, but it contains some sensitive stuff. You can open paint again, but this online tools works in the browser to redact your image:

Redact • Photo - Free And Private Image Redaction In The Browser — redact.photo

Free And Private Image Redaction In The Browser

Computer Laws

“When a measure becomes a target, it ceases to be a good measure.”

- Goodhart’s Law

Seen too many times when metrics are used by management. E.g. story points, lines of code, velocity, code coverage.

And with that, thanks for reading and take care of yourself. I’ll see you next time!