Skip to content

Instantly share code, notes, and snippets.

@adregan

adregan/hardening.md

Last active September 16, 2025 19:51
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save adregan/3031614c08c4e9836a76ecdfdb7f43fc to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save adregan/3031614c08c4e9836a76ecdfdb7f43fc to your computer and use it in GitHub Desktop.
Download ZIP
Raw
hardening.md

Hardening Your Development Environment

Prerequisites

  • 1Password
  • 1Password CLI

Github SSH access

Accessing Github over ssh is low friction, but it can put you at risk if a program were to exfiltrate your private ssh key. By storing (and generating) your ssh key from 1password, the key will never sit on the disk, giving you a layer of protection. While you might still be vulnerable, you can add approvals and friction which can provide an oppurtunity to intervene in the case of an attack.

SSH Key

  1. 1Password > Settings > Developer
  2. [x] Use the SSH Agent
  3. Update ~/.ssh/config to add the 1password IdentityAgent
  4. New Item > SSH Key > Add Private Key > Generate a New Key (Ed25519)
  5. Github > Settings > SSH and GPG keys > New SSH Key (Authentication Key). If you have the 1Password browser extension, 1Password should provide a helpful list of keys.
  6. Delete your old ssh key from github.

Signing Key

You can also sign commits with ssh and use the same key that you use for authentication.

  1. Github > Settings > SSH and GPG keys > New SSH Key (Signing Key).
  2. 1Password helpfully provides information of using ssh signing key, but the gist is that you will need to update you ~/.gitconfig with the following:
[user]
  signingkey = <YOUR_PUBLIC_KEY>
[gpg]
  format = ssh
[gpg "ssh"]
  program = <PATH/TO/SSH_PROGRAM> 
[commit]
  gpgsign = true

The path to the ssh program is likely something like "/Applications/1Password.app/Contents/MacOS/op-ssh-sign", but you should verify.

To test your key, you could (before configuring the above): remove any existing signing key from github; create a test branch and a test commit; push the change and see that it is unverified; configure the above; git commit --amend --reset-author -S --no-edit; git push --force-with-lease; check that the commit is now verified.

Locking down the gh cli utility

The github cli tool is useful but offers a vulnerability you could drive a truck through! gh auth token simply coughs up the token. That token can be exfiltrated with the gh cli itself. In an ideal case, configure a token that can only write to private repos (cuts down on a path for exfiltration) and limit the scope to only the tools you actually use. For example, if all you do is automate the process of opening a PR, only grant PR scope.

  1. 1Password > Settings > Developer
  2. [x] Integrate with 1Password CLI
  3. In your terminal, run $ op signin. You may have to add the -f flag as your terminal emulator might trigger the apple security warning "X would like to access data from other apps." This is a good thing. Leave that on and don't provide blanket permissions so that this little warning will give you a moment to stop and ponder why the currently running npm install needs to access other programs.
  4. Store the token you use for accessing gh in 1password (fine grained tokens would be preferred here).
  5. Add the equivelant of the following to your shell config: export GH_TOKEN="op://<vault>/<item>/<field>" (bash) ; set -gx GH_TOKEN "op://<vault>/<item>/<field>" (fish). For example op://employee/github-cli-token/token
  6. Alternatively, bundle the GH_TOKEN within a function so that it's not available out of that scope (fish shell):
function gh
    if test "$argv[1]" = auth
        echo "gh auth is disabled on this system"
        return 1
    end

    set GH_TOKEN "op://employee/github-cli-token/password"
    op run --no-masking -- command gh $argv
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment