Security
Removing a Leaked SSH Key from Git History with BFG Repo-Cleaner
How to surgically remove an accidentally committed SSH private key from a Git repository's history using BFG Repo-Cleaner — the fast, focused alternative to git filter-branch
It happens to almost everyone, eventually.
You stage your changes, type git commit -am "wip", push — and a few minutes later realize that id_rsa (or .env, or credentials.json) was sitting in the working directory the whole time. The file is now in the remote, in every clone, in every CI cache, and worst of all: in the git history, where a simple git rm won’t touch it.
This post walks through fixing exactly that scenario with BFG Repo-Cleaner — a tool purpose-built for ripping unwanted blobs out of git history.
gitlab-token-expiration: stop getting surprised by expiring GitLab tokens
A CLI that lists every expirable token across your GitLab projects, groups, and personal account so you can plan rotations
GitLab access tokens expire. Project tokens, group tokens, personal access tokens — all of them. The trouble is that the expiration dates live in different corners of the UI, and you usually find out one expired the morning a CI pipeline mysteriously starts failing.
gitlab-token-expiration is the small tool I wrote to never have that morning again.
jwt-cli: encode and decode JWTs without a browser tab
A small Go CLI to encode, decode and inspect JWT tokens with HMAC, RSA and ECDSA signing
Every time I needed to inspect a JWT, I ended up doing the same thing: paste it into a website I half-trust, squint at the payload, then close the tab feeling vaguely guilty. I wanted a local tool, scriptable, that could both decode tokens and mint them for testing. So I wrote jwt-cli.
Stop Committing Secrets: A Practical Guide to Pre-Commit Secret Detection
How to combine Gitleaks as a fast pre-commit hook with TruffleHog in CI/CD for verified secret scanning, plus strategies for handling false positives
Stop Committing Secrets: A Practical Guide to Pre-Commit Secret Detection
You’ve done it. Or someone on your team has. A .env file slips into a commit, an AWS key ends up in a config file, a GitLab token gets hardcoded in a script “just for testing”. A few minutes later it’s in your git history — forever.
This post covers the current best practice for catching secrets before they ever touch your repository, without drowning your team in false positives.
SSH Hardening: 9 Techniques That Cut 50,000 Monthly Attacks to Almost Zero
Practical SSH hardening guide with nine production-tested techniques to dramatically reduce brute-force attacks and secure your servers
Last January, I sat down to review a server’s auth logs and felt a familiar knot in my stomach.
Over 50,000 failed SSH login attempts — in a single month. Bots methodically hammering port 22 with common credentials, dictionary wordlists, and leaked password databases. Just waiting for one mistake.
That audit changed how I think about SSH security. Not as a checkbox, but as a discipline. What follows are the nine hardening techniques I’ve since applied across dozens of production servers. Not theoretical guidelines — actual configurations with real, measurable outcomes.