Hi! I'm

Federico Calò

Software Developer | Technical Writer

I create modern web applications and custom digital tools to help businesses grow through technological innovation. My passion is combining computer science and economics to generate real value.

Contact Me

About Me

My passion for computer science was born at the Technical Commercial Institute of Maglie, where I discovered the power of programming and the fascination of creating digital solutions. From the start, I understood that computer science was not just code, but an extraordinary tool for turning ideas into reality.

During my studies in Business Information Systems, I began to interweave computer science and economics, understanding how technology can be the engine of growth for any business. This vision accompanied me to the University of Bari, where I obtained my degree in Computer Science, deepening my technical skills and passion for software development.

Today I put this experience at the service of businesses, professionals and startups, creating tailor-made digital solutions that automate processes, optimize resources and open new business opportunities. Because true innovation begins when technology meets the real needs of people.

My Skills

Data Analysis & Predictive Models

I transform data into strategic insights with in-depth analysis and predictive models for informed decisions

Process Automation

I create custom tools that automate repetitive operations and free up time for value-added activities

Custom Systems

I develop tailor-made software systems, from platform integrations to customized dashboards

const federico = {
  nome: "Federico Calò",
  ruolo: "Sviluppatore Software",
  città: "Bari, Italia",
  missione: "Aiutare attraverso l'informatica",
  passioni: [
    "Codice Pulito",
    "Innovazione",
    "Crescita Continua"
  ]
};

La Mia Missione

Credo fermamente che l'informatica sia lo strumento più potente per trasformare le idee in realtà e migliorare la vita delle persone.

Democratizzare la Tecnologia

La mia missione è rendere l'informatica accessibile a tutti: dalle piccole imprese locali alle startup innovative, fino ai professionisti che vogliono digitalizzare la propria attività. Ogni realtà merita di sfruttare le potenzialità del digitale.

Unire Informatica ed Economia

Non è solo questione di scrivere codice: è capire come la tecnologia possa generare valore reale. Intrecciando competenze informatiche e visione economica, aiuto le attività a crescere, ottimizzare processi e raggiungere nuovi traguardi di efficienza e redditività.

Creare Soluzioni su Misura

Ogni attività è unica, e così devono esserlo le soluzioni. Sviluppo strumenti personalizzati che rispondono alle esigenze specifiche di ciascun cliente, automatizzando processi ripetitivi e liberando tempo per ciò che conta davvero: far crescere il business.

Trasforma la Tua Attività con la Tecnologia

Che tu gestisca un negozio, uno studio professionale o un'azienda, posso aiutarti a sfruttare le potenzialità dell'informatica per lavorare meglio, più velocemente e in modo più intelligente.

Parliamone Insieme →

Join the Community

Join the developer community where we discuss software, AI, architecture and DevOps. Share ideas, ask questions and grow with us.

Channel

FC Dev Blog

Get notifications on new articles, complete series, weekly tips and featured tools. Bilingual IT/EN content directly in your Telegram.

New articles as they are published
Weekly tips and code snippets
Polls on future topics

Subscribe to Channel

Group

FC Dev Community

A bilingual IT/EN community for developers. Discussions, Q&A, mutual help and networking with other professionals.

Discussions on articles and technologies
Coding help and code review
Job opportunities and collaboration

Join the Group

Discussion Topics

View

Master SQL

RoadMap.sh

November 2024

View

Oracle Certified Foundations Associate

Oracle

October 2024

View

People Leadership Credential

Connect

September 2024

💻 Languages & Technologies

Java

Python

JavaScript

Angular

React

TypeScript

SQL

PHP

CSS/SCSS

Node.js

Docker

Git

💼

12/2024 - Present

Custom Software Engineering Analyst

Accenture

Bari, Puglia, Italy · Hybrid Analysis and development of computer systems through the use of Java and Quarkus in Health and Public Sector. Continuous training on modern technologies for creating customized and efficient software solutions and on agents.

💼

06/2022 - 12/2024

Software analyst and Back End Developer Associate Consultant

Links Management and Technology SpA

Experience analyzing as-is software systems and ETL flows using PowerCenter. Completed Spring Boot training for developing modern and scalable backend applications. Backend developer specialized in Spring Boot, with experience in database design, analysis, development and testing of assigned tasks.

💼

02/2021 - 10/2021

Software programmer

Adesso.it (prima era WebScience srl)

Experience in AS-IS and TO-BE analysis, SEO evolutions and website evolutions to improve user performance and engagement.

🎓

2018 - 2025

Degree in Computer Science

University of Bari Aldo Moro

Bachelor's degree in Computer Science, focusing on software engineering, algorithms, and modern development practices.

📚

2013 - 2018

Diploma - Corporate Information Systems

Technical Commercial Institute of Maglie

Technical diploma specializing in Business Information Systems, combining IT knowledge with business management.

Contattami

Hai un progetto in mente? Parliamone! Compila il form qui sotto e ti risponderò al più presto.

* Campi obbligatori. I tuoi dati saranno utilizzati solo per rispondere alla tua richiesta.

CI/CD Security: Protecting the Build and Deploy Process

The CI/CD pipeline is the heart of the software delivery process. If an attacker compromises the pipeline, they can inject malicious code into every subsequent build and deploy. Pipeline security is not just about what the pipeline tests, but how the pipeline itself is protected from tampering.

In this article, we will explore practices for securing the CI/CD pipeline: from branch protection to signed commits, from OIDC to least privilege, to audit logging and approval workflows for production deploys.

What You'll Learn

CI/CD pipeline threat model
Branch protection and code review enforcement
OIDC for authentication without static secrets
Least privilege for runners and workflows
Signed commits and code verifiability
Deployment approval workflows

CI/CD Pipeline Threat Model

To protect the pipeline, we need to understand where the attack surfaces are:

Source code: a malicious contributor injects code in a PR
Dependencies: a compromised dependency is installed during build
Pipeline configuration: modification of workflow files to exfiltrate secrets
Runner: build agent compromise for infrastructure persistence
Artifact: replacement of the built artifact with a malicious one
Deploy credentials: theft of deploy credentials for direct infrastructure access

Branch Protection Rules

Branch protection rules are the first line of defense. They ensure that no code reaches the main branch without reviews and automated checks.

      Recommended Configuration
      
          Rule
          Setting
          Rationale
        
          Require PR reviews
          Minimum 2 approvals
          Four-eyes principle
        
          Dismiss stale reviews
          Enabled
          Invalidate approvals after push
        
          Require status checks
          SAST, SCA, test, lint
          Mandatory automated gates
        
          Require signed commits
          Enabled
          Contributor verifiability
        
          Restrict push access
          CI/CD bot only
          No direct push to main
        
          Require linear history
          Enabled
          Clean and verifiable history

Rule	Setting	Rationale
Require PR reviews	Minimum 2 approvals	Four-eyes principle
Dismiss stale reviews	Enabled	Invalidate approvals after push
Require status checks	SAST, SCA, test, lint	Mandatory automated gates
Require signed commits	Enabled	Contributor verifiability
Restrict push access	CI/CD bot only	No direct push to main
Require linear history	Enabled	Clean and verifiable history

OIDC: Authentication Without Static Secrets

OpenID Connect (OIDC) allows CI/CD workflows to authenticate with cloud providers without using static secrets (API keys, service account keys). The workflow obtains a temporary token based on the repository and branch identity.


# .github/workflows/deploy-oidc.yml
name: Deploy with OIDC
on:
  push:
    branches: [main]

permissions:
  id-token: write   # Required for OIDC
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Configure AWS Credentials (OIDC)
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/github-deploy
          aws-region: eu-west-1
          # No secrets! OIDC token is used automatically

      - name: Deploy to AWS
        run: |
          aws s3 sync dist/ s3://my-bucket/
          aws cloudfront create-invalidation --distribution-id E123 --paths "/*"

Least Privilege for Workflows

Every GitHub Actions workflow has default permissions that can be too broad. The least privilege principle requires limiting permissions to the minimum necessary for each job:


# Restrictive global permissions
permissions:
  contents: read  # Read-only repository access

jobs:
  test:
    runs-on: ubuntu-latest
    # No additional permissions for tests
    steps:
      - uses: actions/checkout@v4
      - run: npm test

  deploy:
    needs: test
    runs-on: ubuntu-latest
    permissions:
      id-token: write      # Only for OIDC
      contents: read
      packages: write      # Only for image push
    environment: production  # Requires manual approval
    steps:
      - uses: actions/checkout@v4
      - name: Deploy
        run: ./deploy.sh

Signed Commits

Signed commits guarantee contributor identity through GPG or SSH cryptographic signatures. Without signing, anyone can create a commit with an arbitrary name and email, impersonating other developers.


# Configure GPG for signed commits
gpg --full-generate-key
gpg --list-secret-keys --keyid-format=long

# Configure Git to sign automatically
git config --global user.signingkey YOUR_KEY_ID
git config --global commit.gpgsign true
git config --global tag.gpgsign true

# Alternative: sign with SSH key
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true

Deployment Approval Workflows

Production deploys should require explicit approval from authorized personnel. GitHub Environments allows configuring mandatory manual approvals:


# Deploy with manual approval
jobs:
  deploy-staging:
    runs-on: ubuntu-latest
    environment: staging
    steps:
      - name: Deploy to staging
        run: ./deploy.sh staging

  deploy-production:
    needs: deploy-staging
    runs-on: ubuntu-latest
    environment:
      name: production
      url: https://myapp.com
    # Requires approval from a designated reviewer
    steps:
      - name: Deploy to production
        run: ./deploy.sh production

      - name: Notify team
        run: |
          curl -X POST "#123;{ secrets.SLACK_WEBHOOK }}" \
            -H "Content-Type: application/json" \
            -d '{"text": "Production deploy completed successfully"}'

Pipeline Security Hardening Checklist

Pipeline Security Checklist

Branch protection with mandatory reviews and status checks
OIDC instead of static secrets for cloud authentication
Minimal workflow permissions (least privilege)
Mandatory signed commits on the main branch
Action pinning with SHA instead of tags
Production environment with manual approval
Active audit log for all CI/CD operations
Self-hosted runners in isolated network (if applicable)
Secret scanning on pipeline configuration
SBOM generated and signed on every build

GitHub Actions Pinning


# INSECURE: uses a mutable tag
- uses: actions/checkout@v4

# SECURE: uses commit SHA (immutable)
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

CI/CD Security Best Practices

OIDC everywhere: eliminate all static secrets for cloud provider authentication
Minimal permissions: each job has only the necessary permissions, nothing more
Pin actions by SHA: never use mutable tags for third-party actions
Separate environments: staging and production with different configurations and approvals
Audit everything: log every build, deploy, approval, and pipeline modification
Ephemeral runners: runners should be recreated on each job to avoid persistence

Conclusions

CI/CD pipeline security is often overlooked, but it's a critical attack vector. A compromised pipeline can inject malicious code into every subsequent build. With branch protection, OIDC, least privilege, and deployment approvals, you build a resilient and verifiable pipeline.

In the next article, we'll explore IaC Scanning, analyzing how to validate Terraform, CloudFormation, and ARM configurations to prevent security misconfigurations.