John Loper

Posted on Nov 12

Pin It or Bin It (for the brewsters)

#sdlc #security #envsecops #devops

Opening jab

You can’t secure what you can’t reproduce.
“Latest” isn’t a strategy — it’s a confession that you don’t control your own environment.

The Real Problem

Most “secure” pipelines fall apart before they start.
Developers run different OPA versions.
CI installs whatever Homebrew happens to serve that day.
And your attestation chain begins with curl https://sh.somestartup.io | bash.

If your tooling isn’t pinned, your policies are theater.

The Only Acceptable Rule

Every tool in the critical path — compiler, linter, scanner, policy engine, image builder — must be pinned by version and checksum.

You don’t need a platform for this. You need discipline.

Homebrew, Done Right

Homebrew is fine if you cage it properly.
Here’s how adults install their tools:

# 1. install specific versions
brew install open-policy-agent/tap/opa@1.1.1
brew install instrumenta/instrumenta/conftest@0.56.0
brew install go-containerregistry@0.20.2

# 2. freeze them in place
brew pin opa
brew pin conftest
brew pin go-containerregistry

If your version isn’t directly available, extract it yourself:

brew extract --version=0.56.0 conftest instrumenta/instrumenta
brew install instrumenta/instrumenta/conftest@0.56.0
brew pin conftest

Now you can rebuild your environment on any box, any day, and get the same bits.

No curl-to-bash. No “latest.”
If it’s not signed, hashed, or attested, it doesn’t enter $PATH.

Lock Your Provenance

Your toolchain is part of your SBOM.
Export it like any other dependency:

brew bundle dump --file=./Brewfile.lock.json
git add Brewfile.lock.json

This file is now the attestable manifest for your developer environment.
Your CI and devcontainers can reproduce it 1:1.

Why This Matters

Pinning is provenance.
It’s the difference between “I built this” and “something built this once, maybe.”
Without it, your SBOM is fiction and your attestations are decorative art.

This is the first layer of EnvSecOps:

Trust begins with reproducibility.

TL;DR

Tool	Action	Why
`brew install …@version`	explicit version	deterministic installs
`brew pin`	freeze it	prevent drift
`brew bundle dump`	export	attest environment
`sha256sum -c`	verify	don’t trust strangers
`jq`, `yq`, `crane`, `conftest`, `opa`	small tools	big security

The Exit Code

If your pipeline depends on brew upgrade, it’s not a pipeline — it’s a coin toss.
Version-lock it, checksum it, and move on.

DEV Community