How to Have GitLab CI/CD for a .NET Aspire Project

Getting a complete CI/CD pipeline for your .NET Aspire solution doesn't have to be complicated. I've created a template that gives you everything you need to get started in minutes.

(blog post en français ici)

Watch the Video

Part 1: The Ready-to-Use Template

I've built a .NET Aspire template that comes with everything configured and ready to go. Here's what you get:

What's Included

• A classic .NET Aspire Starter project (API and frontend)
• Unit tests using xUnit (easily adaptable to other testing frameworks)
• Complete .gitlab-ci.yml pipeline configuration
• Security scanning and secret detection
• All documentation you need

What the Pipeline Does

The pipeline runs two main jobs automatically:

1. Build: Compiles your code
2. Test: Runs all unit tests, scans for vulnerabilities, and checks for accidentally committed secrets (API keys, passwords, etc.)

You can see all test results directly in GitLab's interface, making it easy to track your project's health.

How to Get Started

It's simple:

1. Clone the template repository: cloud5mins/aspire-template
2. Replace the sample project with your own .NET Aspire code
3. Push to your GitLab repository
4. Watch your CI/CD pipeline run automatically

That's it! You immediately get automated builds, testing, and security scanning.

Pro Tip: The best time to set up CI/CD is when you're just starting your project because everything is still simple.

Part 2: Building the Template with GitLab Duo

Now let me share my experience creating this template using GitLab's AI assistant, GitLab Duo.

Starting Simple, Growing Smart

I didn't build this complex pipeline all at once. I started with something very basic and used GitLab Duo to gradually add features. The AI helped me:

• Add secret detection when I asked: "How can I scan for accidentally committed secrets?"
• Fix test execution issues when my unit tests weren't running properly
• Optimize the pipeline structure for better performance

Working with GitLab in VS Code

While you can edit .gitlab-ci.yml files directly in GitLab's web interface, I prefer VS Code. Here's my setup:

1. Install the official GitLab extension from the VS Code marketplace

Once you've signed in, this extension gives you:

• Direct access to GitLab issues and work items
• AI-powered chat with GitLab Duo

GitLab Duo in Action

GitLab Duo became my pair programming partner. Here's how I used it:

Understanding Code: I could type /explain and ask Duo to explain what any part of my pipeline configuration does by highlighting that section.

Solving Problems: When my solution didn't compile, I described the issue to Duo and got specific suggestions. For example, it helped me realize some projects weren't in .NET 9 because dotnet build required the Aspire workload. I could either keep my project in .NET 8 and add a before_script instruction to install the workload or upgrade to .NET 9; I picked the latest.

Adding Features: I started with just build and test, then incrementally asked Duo to help me add security scanning, secret detection, and better error handling.

Adding Context: Using /include to add the project file or the .gitlab-ci.yml file while asking questions helped Duo understand the context better.

Learn More with the Docs: During my journey, I knew Duo wasn't just making things up as it was referencing the documentation. I could continue my learning there and read more examples of how before_script is used in different contexts.

The AI-Assisted Development Experience

What impressed me most was how GitLab Duo helped me learn while building. Instead of just copying configurations from documentation, each conversation taught me something new about GitLab CI/CD best practices.

Conclusion

I think this template can be useful for anyone starting a .NET Aspire project. Ready to try it? Clone the template at cloud5mins/aspire-template and start building with confidence.

Whether you're new to .NET Aspire or CI/CD, this template gives you a good foundation. And if you want to customize it further, GitLab Duo is there to help you understand and modify the configuration.

If you think we should add more features or improve the template, feel free to open an issue in the repository. Your feedback is always welcome!

Thanks to ‪David Fowler‬ for his feedback!

Reading Notes #656

This week, we're exploring a wide range of topics, from .NET 10 previews and A/B testing to the latest in Azure development and AI. Plus, a selection of insightful podcast episodes to keep you informed and inspired.

Cloud

• Please Don't Write Your Own MCP Authorization Code · Den Delimarsky (Den Delimarsky) - Security is important and deserves to be done right. learn how to use in this post and save a lot of time

• Azure Developer CLI (azd) - June 2025 (Kristen Womack) - More features, response to the community's request, and more in this announcement.

Programming

• .NET 10 Previews: Blazor Performance Monitoring, JS Interop (Jon Hilton ) - Cool new features are coming for Blazer WASM

• A/B testing in .NET using Microsoft Feature Management (Bart Wullems) - Great tutorial that shows how to implement those tests for a website. I didn't expect it would be that simple!

Open Source

• Patrik Svensson (Patrik Svensson) - An interesting way to structure the flow that provides more detailed issues and PR with a clear purpose.

AI

• How to convert code with GitHub Copilot, can AI really help? (Frank Boucher) - A post and video that answers the question: Can AI really help when we are trying to convert code? 
  
  
  

Podcasts

• The Open Source Maintenance Fee with Rob Mensching (.NET Rocks!) - A really cool idea to help maintainers of open source projects.

• Docker Model Runner ( DevOps and Docker Talk: Cloud Native Interviews and Tooling) - I tried the new model feature of Docker and had many questions. All of them were answered during this episode.

• 09. Semantic Kernel to Raspberry Pi: Building Smart AI Solutions - with Jamie Maguire (Betatalks the podcast) - An interesting episode talking about AI and low-powered devices; is it possible?

• Michael Washington: The Nature Of Data - Episode 353 (Azure & DevOps Podcast) - Interesting discussion about data, and a bit more about a really cool project, Michael's Data warehouse, because sometimes we need something that runs locally.

• The Extraordinary Magic of Ordinary People with author Brad Meltzer (A Bit of Optimism) - A motivating episode for ordinary people. Fail and fail fast, learn and repeat!

• Neverending support for open source with Hayden Barnes (Hanselminutes with Scott Hanselman) - Interesting enterprise for open source project maintainers.

~frank

Reading Notes #654

Welcome to another edition of my reading notes! This week, I’ve gathered a selection of insightful articles and resources covering topics like AI, cloud security, open source, and developer productivity. Whether you’re interested in best practices, new tools, or thought-provoking perspectives, there’s something here for everyone. 

Dive in and enjoy the highlights!

Suggestion of the week

• Copilot, The Good Parts: Efficiency (Rob Conery) - I love that post, it's so true! There are good and bad ways to use any tools. And I personally would really like seeing Rob build his stuff. Let's him know If you think like me.

Programming

• Zero-Trust Architecture for Cloud-Based AI Systems (Goodness Woke) - This is a perfect article to get started on zero trust architecture, its complete details and very interesting

• Fantastic Alert Messages Using SweetAlert (Héctor Pérez ) - A great component to manage our alerts in C# instead of having JavaScript. That makes code easier to test when all is in the same language.

• You DON’T Need Microservices for Serverless! (Derek Comartin) - A great post that explained the difference between cold coupling and monolithics versus microservices great post.

Open Source

• How to convince your boss to sponsor Open Web Docs (Patrick Brosset) - Open source is important! And to contribute, it doesn't have to be code. Nice post that shares ideas and explains a few things about OSS.

Databases

• What’s New in MSSQL Extension for VS Code v1.33 ( Carlos Robles) - It's great to have such a nice tool as an extension. I wish it would support more databases.

Miscellaneous

• Local code review with Docker and smollm2 before pushing to git (Gerardo Lopez) - This is a great idea! Definitely a good way to avoid the light of shame and be able to quickly validate that your code looks okay. It's also a great way to experiment free hook.

~frank

Reading Notes #653

Welcome to Reading Notes #653 another packed edition of insights, tools, and updates from the tech world! This week's roundup dives into legendary engineering wisdom, AI controversies, and the latest innovations in Docker, Azure, and VS Code. Whether you're exploring MCP, refining your scripting skills, or gearing up for the newest Azure Developer CLI release, there's something here for every developer.

Let’s get into it!

Cloud

• Azure Developer CLI (azd) - June 2025 (Kristen Womack) - Love that tool, great updates, so many new features and improvements in this version, very looking forward to try all of them, turning them all

AI

• Publishing AI models to Docker Hub (Kevin Wittek) - Running model locally is a lot of people are looking forward to it, so this is good news can't wait to try it

• Build Agents using Model Context Protocol on Azure - MCP is still a thing and can definitely be used in your app, and helps your agents. Learn more about how to get started in the doc.

• The Complete MCP Experience: Full Specification Support in VS Code (Harald Kirschner, Connor Peet, Tyler Leonhardt) - Sweet, looking forward to try it with the URL shortener mCP server that I created but notification scaling everything is looking very exciting

• How to Build, Run, and Package AI Models Locally with Docker Model Runner (Vladimir Mikhalev) - Nice new model feature integrated within docker..

• AI Toolkit for VS Code June Update (junjieli) - Nice update to a great extension, learn more about it

• What humans and Github Co-Pilot have in common (John Hilton) - This controversial tool, is it good or bad? I like the way the author of this post answers that question.

Programming

• Run C# Scripts With dotnet run app.cs (No Project Files Needed) (Milan Jovanović) - Really cool and light way to use C#. Nice post with real scenarios.

Miscellaneous

• Why Legendary Engineers Build Systems, Not Just Code (Peter Smulovics) - So true! It's all a question of time, but maybe not where (or when) you think.

~frank

Reading Notes #652

This week, we explore a variety of topics, from database containerization and AI security risks to the evolving landscape of gaming devices and cloud technologies. We also explore the shift towards security-first development and the integration of .NET Aspire with SQL Server for integration testing.

Let's dive in!

Suggestion of the week

• GitHub MCP Exploited: Accessing private repositories via MCP (Marco Milanta, Luca Beurer-Kellner) - AI tools are very powerful but also pretty new in our lives. It's important to stay up to date and understand the risks. Not scared, but to see the potential flaws and how to avoid them.

Cloud

• Azure Container Apps vs AKS: Which Is Right for Your Enterprise Application? (Chris Pietschmann) - This post answers a common question about those two services.

Programming

• Beyond DevSecOps: The Rise of Security-First Development (Industry Perspectives) - DevSecOps was a wake-up call, and we need to build our app security first. That seems to make sense, right? Have a read of this post to dig deeper into this idea and understand its foundation

• .NET Aspire dev-time orchestration for SQL Server integration tests (Ian Griffiths) - First post of a series about the spire and database, this one just set the initial setup. Stay tuned for more

Databases

• Running a MySQL database in a Docker Container (Mercy Bassey) - Running databases in a container is a real game changer for developers.

Miscellaneous

• SteamOS puts the pressure on Microsoft’s Xbox-branded handheld (Tom Warren) - Gaming devices are in a completely different world, and, normally, all OS need to adapt. A fascinating post about steamOS and the future of Windows in that scope

~frank

Reading Notes #651

Welcome to another edition of my reading notes! This week brings some fascinating insights into AI's real-world impact, exciting developments in .NET and containerization, plus practical tools for improving our development workflows. 

From local AI-powered code reviews to Docker security hardening and the upcoming .NET 10 features, there's plenty to explore.

 

AI

• The promise that wasn’t kept (Salma Alam Maylor) - Interesting thoughts about AI and its impact on our work but also on our life, and the planet.

• Local code review with Docker and smollm2 before pushing to git (Gerardo Lopez) - This is a really cool idea! I'll have to try it.

Programming

• Converting a docker-compose file to .NET Aspire (Andrew Lock) - Cool experiment. I must say I did the same thing, and I encourage you to do it too!

• Inside GitHub: How we hardened our SAML implementation (Greg Ose, Taylor Reis) - Very interesting post that pushes the curtain a little bit so we could see behind the scene how this very used but notification system works and has been updated

• Announcing dotnet run app.cs - A simpler way to start with C# and .NET 10 - .NET Blog (Damian Edwards) - That's a really cool new feature (that we can test in C# preview), It will be so useful in automation!

Cloud

• Introducing Docker Hardened Images: Secure, Minimal, and Ready for Production (Michael Donovan, Nikhil Kaul) - Security is the concern of everyone. I like this idea of like more secure but still flexible container images. Have a look and see for yourself

• Podman vs. Docker: Containerization Tools Comparison (James Walker) - A nice post that explains the difference at a high level. This isn't a command-to-command comparison, but more scenarios and performance.

Miscellaneous

• Enhance productivity with AI + Remote Dev (Brigit Murtaugh, Christof Marti, Josh Spicer, Olivia Guzzardo McVicker) - I love the dev container environments, they are so useful! And I also use the remote one when I'm not on my dev device so easy. Happy to see that Copilot will be right there with me.

~frank

Reading Notes #650

It's time for another edition of Reading Notes! This week brings exciting developments in the open source world, with major announcements from Microsoft making WSL and VS Code's AI features open source. We've also got updates on Azure Container Apps, .NET Aspire, and some great insights on developer productivity tools.

 

Let's dive into these interesting reads that caught my attention this week.

Cloud

• Happy 5th Birthday Bicep! (Sam Cogan) - What?! Five years already! That's incredible, I remember all the discussion about how we make our business better and honestly, bicep is a big success. Congrats to the team

• Have I Been Pwned 2.0 is Now Live! (Troy Hunt) - New look, new merch, and confetti, all without API breaking changes! Learn all about this major update in this post.

• Announcing Workflow in Azure Container Apps with the Durable task scheduler – Now in Preview! (greenie) - Exciting news about a new service. It looks solid and perfect for integration scenarios. Looking forward to experimenting with it.

Programming

• Pushing a whole stack of branches with a single Git command (Andrew Lock) - I'm always amazed to learn how people use git. This post shares a very smart way to push clear feature in multiple branches

• What's new in .NET Aspire 9.3 (David Pine) - Wow! How so many great new features can be added in a single version?! Aspire is a must for all .NET developers.

• Accelerate Your .NET Upgrades with GitHub Copilot (McKenna Barlow) - That's the tool I've been waiting for ages! Adding a Copilot to the extension is the smartest move they could make. I'm going to update an app right away. I'll share more later

Open Source

• Edit is now open source (Christopher Nguyen) - That's a great news! I installed it half through the post and it great! Fast, simple, and tiny!! Love it!

• The Windows Subsystem for Linux is now open source (Pierre Boulay) - And another project that turns out to be open source, I love it, it's just fantasti,c read all the details and dispose

• VS Code: Open Source AI Editor (VS Code team) - I strongly believe in open source. Very happy to see this change!

AI

• Agent mode for every developer (Katie Savage) - Great new for everyone as the agent mode become available in so many different editor. This post also contains videos to shows some scenarios.

Podcasts

• Reimagining the Windows Terminal with Warp's Zach Lloyd (Scott Hanselman) - A very interesting talk with the CEO of Warp that answers so many questions I had about this very different terminal. Really interesting episode, and terminal too BTW)

• The power of empathy in leadership with Jerry Colonna (Macmillan Holdings, LLC) - This very interesting episode is about the power of empathy in leadership.

• 362. Maximal Fitness with Minimum Time with Ben Greenfield (Part 1) (Greg McKeown) - Interesting conversation with a triathlete about different ways to train and nutrition

Miscellaneous

• The experience is enough (Salma Alam-Naylor) - Whether we like it or not, we are people creature. We all need to stop hiding behind our screens and get out there!

~frank

Reading Notes #647

This post is a collection of my latest reading notes, highlighting interesting articles and resources on AI, programming, databases, and more. Each link includes a brief summary of what I found valuable or noteworthy.

AI

• Getting Started with Azure MCP Server: A Guide for Developers (Lee Stott) - Quick post about this new feature.

• Protecting against indirect prompt injection attacks in MCP (Sarah , Den) - Security must be in our list of priorities in all types of projects. This post explains how we can secure them.

• How to build and deliver an MCP server for production (Colin McNeil) - That makes sense doctor is known to encapsulate and simplify the portability of application

Programming

• Set the default file encoding - Visual Studio Blog (Mark Downie) - Nice tip! As a developer who works daily on different operating systems, I know to well this issue.

• 4 real-life examples of using reflection in C# ( Ali Hamza Ansari) - Very interesting and useful post that go over 4 scenarios

• Microsoft Extends SLNX Solution File Support in .NET CLI - InfoQ - Have you tried yet the new format? It's still on my to-do list.

Databases

• DuckDB in Depth: How It Works and What Makes It Fast (Barry Smart) - This is a very interesting post that explains a little bit more how a vectoral database works and why it's so performant with documents

Miscellaneous

• Help yourself to thrive (Salma) - The human body is an extraordinary machine, extremely strong and conciliant, but it also requires a fine turning. Great post, we must learn from it.

Sharing my Reading Notes is a habit I started a long time ago, where I share a list of all the articles, blog posts, and books that catch my interest during the week. 

If you have interesting content, share it!

~Frank

Reading Notes #646

Welcome to this week's collection of fascinating reads across cloud computing, AI, and programming! As technology continues to evolve at breakneck speed, I've gathered some of the most insightful articles that caught my attention. From securing MCP servers to exploring Rust, there's something here for every tech enthusiast. 

Dive in and discover what's new in our rapidly changing digital landscape.

Cloud

• Azure API Management Your Auth Gateway For MCP Servers | Microsoft Community Hub (PranamiJ) - Why all the fuss about MCP, we must not forget security. This post suggests a simple solution.

AI

• How Azure Copilot Helped Me Quickly Troubleshoot a Demo (David Giard) - That's a good example of how AI can help you not do the job for yourself but avoid mistakes and do it faster.

• Secure Remote MCP Servers With Entra ID And Azure API Management (Den Delimarsky) - Nice solution in Python to secure your MCP servers

Programming

• When ASP.NET Core Identity Is No Longer Enough (Andrea Chiarelli) - Authentication and authorization have an important place in our Apps. This post shares details about how things work and the different processes.

• New Docker Extension for Visual Studio Code (Remy Suen) - This extension was already a must, they made it better, it's a must must! But seriously give it a try and try it by yourself.

• From C# to Rust: A 42-Day Developer Challenge (Chris Woodruff) - Cool tease of an experiment that promises a lot of learning.

• How to Programmatically Create MS Word DOCX Documents with .NET C# on Linux (Bjoern Meyer) - Cool package that helps create Word documents. Perfect when running in a Linux container.

• Preview 2 of the .NET AI Template Now Available (Jordan Matthiesen) - New templates with AI, Qadran and Aspire, oh boy life is good!

Sharing my Reading Notes is a habit I started a long time ago, where I share a list of all the articles, blog posts, and books that catch my interest during the week. 

If you have interesting content, share it!

~Frank

Reading Notes #645

Welcome to this week's reading notes! I've found some great articles that caught my eye - from security tips for MCP servers to exciting updates in Rust and AI. Whether you're into cloud services, programming tools, or wondering about the future of coding with AI, there's something here for you.

Let's dive in!

 

Programming

• The Aspire Compiler (David Fowler) - I really appreciate Aspire. It's one of the tools that completely changed my experience as a developer. Learning more about it is, without a doubt, interesting.

• Verifying tricky git rebases with git range-diff (Andrew Lock) - Is it possible to really master Git? There is always something new to learn. Nice post going deep.

• Azure SDK for Rust Goes Beta (Nikos Vaggalis ) - Great news for the Rust developer, this is an important milestone.

AI

• Calling MCP Servers in C# with Microsoft.Extensions.AI (Mark Heath) - Many options, new tools, fresh possibilities, it's only missing our ideas.

• If LLMs Can Code, Why Are We Building More IDEs? (Mark Downie) - That's an excellent question, and I agree with Mark.

• Understanding and mitigating security risks in MCP implementations (Sarah Young) - The MCP servers are opening many opportunities, and it's important to know the risk. This post is a must.

• Build MCP Remote Servers with Azure Functions (Matt Soucoup) - A quick post that shows how a serverless MCP server can be hosted Azure and be secure; all code included.

Sharing my Reading Notes is a habit I started a long time ago, where I share a list of all the articles, blog posts, and books that catch my interest during the week. 

If you have interesting content, share it!

~Frank

Reading Notes #639

Welcome to Reading Notes #639, a curated selection of intriguing articles across programming, AI, cloud computing, and more. Dive into new productivity features in Visual Studio, the latest front-end development trends, .NET AI evaluations, and essential learning techniques. 

Grab your coffee and enjoy the read!

Cloud

• Some observations while writing my first Azure Function (Tim Deschryver) - I really like those types of posts where we follow the journey of the author going through learning or completing tasks.

Programming

• Great new productivity features in Visual Studio - Visual Studio Blog (Mads Kristensen) - Wow, there are so many cool features! I personally love the new line wrap and horizontal scroll bar—little details that make a big difference.

• Is this the next step in the evolution of front end dev? (Salma Alam-Naylor) - I never used those frameworks, but I'm curious now and will have to try.

• What are Custom Integrations in .NET Aspire? (Kalle Marjokorpi) - This second post in a series shows how to configure the identity server name Curity. It's implemented in a .NET Aspire solution and looks very well structured.

AI

• Unlock new possibilities for AI Evaluations for .NET - .NET Blog (Wendy Breiding (SHE/HER)) - That looks like a cool plugin for Azure DevOps Pipeline

• Announcing new models, customization tools, and enterprise agent upgrades in Azure AI Foundry | Microsoft Azure Blog (Asha Sharma) - So many models and plenty of new features, that's a great update!

Miscellaneous

• 5 Learning techniques you should know (Marco Siccardi) - Learning how to learn is a concept that in underrated. This post shares 5 accessible tips with big impact.

Sharing my Reading Notes is a habit I started a long time ago, where I share a list of all the articles, blog posts, and books that catch my interest during the week. 

If you have interesting content, share it! 

~frank

Reading Notes #635

This week Reading Notes, covers various topics in programming and databases. Discover the latest ASP.NET Core release, the importance of clear error messages, and coding with voice commands. Learn about new features in Azure EasyAuth and Microsoft Entra Authentication for Azure PostgreSQL. We also bid farewell to Azure Data Studio as it moves to VS Code extensions.

 
Let's get started!

Programming

• ASP.NET Core on .NET Framework servicing release advisory: ASP.NET Core 2.3 (Daniel Roth) - Learn more about this new release.

• The Importance of Good Error Messages (jdanton1) - I cannot agree more with the idea! How many of us have lost hours trying to figure out what was the error because the description wasn't clear!

• From pain to productivity: How I learned to code with my voice (Salma) - I watched a few of Salma's streams where she was struggling with those tools. This post shares the entire story, the different tools, and her progress.

• Giving Granular Controls to Azure EasyAuth | Microsoft Community Hub ( Justin Yoo) - EasyAuth is like the name suggests pretty simple to setup and use, but also more minimalist than other solutions. This OSS package changes everything making it more versatile.

Databases

• Microsoft Entra Authentication for Azure PostgreSQL (Arun S) - Learn how ease security enforcement (ex: password rotation) by centralizing the account with Entra.

• Azure Data Studio Retirement | Microsoft Community Hub (carlosrobles) - I used in love Azure Data Studio and I'm a little bit sad to see it go away but I think it's for the best since all the functionality will be now available in vs code extension

Miscellaneous

• A case for getting dressed every day (Salma) - I agree one hundred percent with her it's so true.

Sharing my Reading Notes is a habit I started a long time ago, where I share a list of all the articles, blog posts, and books that catch my interest during the week. 

 If you have interesting content, share

 ~frank

Reading Notes #634

Each week, I read a myriad of topics that pique my curiosity and spark new ideas. From AI advancements and low-code solutions to tutorials on enhancing accessibility and performing database operations in .NET MAUI, this week's reading notes offer an eclectic mix of insights and practical knowledge. 

Dive in and explore the fascinating links that kept me captivated over the past few days! 

AI

• AI mistakes are very different from human mistakes (Mark Downie) - Very interesting thoughts. Looking forward to seeing how we adapt and integrate new security practices to avoid those new potential mistakes

• How To Extract Data From Web Page Using Power Automate (Matthew Devaney) - Cool project leveraging low-code and AI.

Programming

• Easily Bind SQLite Database and Perform CRUD Actions in .NET MAUI DataGrid (Jayaleshwari N) - A detailed tutorial with all the required code to do it. Super clear.

• How to build a copy code snippet button and why it matters (Salma Alam-Naylor) - Follow this developer as Salma builds a nice Copy button to improve the accessibility of blog. Really good idea!

Miscellaneous

• Using Tools (Safely) with LLMs (Mark Heath) - This is a nice C# tutorial that explains how to extend the capabilities of your AI without compromising security.

Sharing my Reading Notes is a habit I started a long time ago, where I share a list of all the articles, blog posts, and books that catch my interest during the week.

If you have interesting content, share 

~frank

Reading Notes #633

This edition of Readings Notes covers the synergies between C# and Rust, open-source software licensing challenges, and securing the software supply chain. It also feature a beginner’s guide to programming C# in Visual Studio Code. Finally, we delve into the evaluation process of AI models for GitHub Copilot. 

Enjoy the read!

Programming

• Why Every C# Developer Should Explore Rust (Chris Woodruff) - Even though I heard of Rust I don't think I ever wrote a single line. This post gives a brief list of ideas where we could make a combo c#-rust, and where to get started. Hmmm.

• .NET OSS Projects: Better to Re-license or Die? (Aaron Stannard) - What are the options when a free OSS project changes its license? Nice post that provides an overview of a recent change like this.

• Protecting the Software Supply Chain: The Art of Continuous Improvement (Melissa Sussmann) - This post lists the tools available to help us keeping our app secured and clean.

• How to Program C# in Visual Studio Code (Claudio Bernasconi) - It cost nothing and it is simple to start coding in C#, from .NET as this tutorial shows.

Miscellaneous

• How we evaluate AI models and LLMs for GitHub Copilot (Connor Adams, Klint Finley) - This is an interesting post that shares the methods used to test the different models before they can be included. Testing a model is different than testing a regular piece of code, what are they looking for, and what's important?

Sharing my Reading Notes is a habit I started a long time ago, where I share a list of all the articles, blog posts, and books that catch my interest during the week.

If you have interesting content, share 

~frank

Reading Notes #629

This edition of ReadingNotes covers new AI tools, WSL updates, .NET 9 features, and debugging tips with GitHub Copilot. Plus, insightful podcasts on .NET Aspire, productivity tools, and frontend engineering. 

Happy reading and listening!

Programming

• Dramatically faster package restores with .NET 9's new NuGet resolver - .NET Blog (Jeff Kluge) - A major operation to make our experience better. This post shares how I was done.

• Blazor WebAssembly debugging with Visual Studio (Mark Downie) - Marvelous! New and improved! Who wouldn't be happy about that?

• Using Dependabot to Manage .NET SDK Updates - .NET Blog (Jamie Magee) - Dependabot is one of those tools that when you start using it you wonder how you were doing it before. The new update now supports the SDK, lovely.

AI

• Evaluate the quality of your AI applications with ease - .NET Blog (Wendy Breiding) - Interesting new tools. Add 3 packages to your project and a few lines of code to get started.

• Transform your debugging experience with GitHub Copilot - Visual Studio Blog (Wendy Breiding) - An interesting new tool in Visual Studio where Copilot, our AI pair programmer, can join us to help while debugging.

Podcasts

• David Fowler: Architecture of .NET Aspire - Episode 322 (Azure & DevOps Podcast) - .NET Aspire described from the inside. Learn more about what it is, and what planned for it.

• 95. From Dev Containers to OpenTelemetry: Mastering .NET Productivity - with Alex Thissen (Betatalks the podcast) - There are so many great tools that so many of us don't know yet are effraid to start using. Learn a bit more about them in this episode.

• 96. The Evolving Craft of Frontend Engineering: Balancing Complexity and Simplicity - with Stefan Judis (Betatalks the podcast) - The web frontend is not the same as a few years ago. There are many frameworks and eengineers are trying to make them structured but also performant and light.

Miscellaneous

• What’s new in the Windows Subsystem for Linux in November 2024 (Craig Loewen) - The RedHat distro joins the possibly in WSL, an improved administration and security.

Sharing my Reading Notes is a habit I started a long time ago, where I share a list of all the articles, blog posts, and books that catch my interest during the week.

If you have interesting content, share 

Reading Notes #616

It's reading notes time! It is a habit I started a long time ago, where I share a list of all the articles, blog posts, and books that catch my interest during the week.

 

You also read something you liked? Share it!

 

Cloud

• Static Sites on Azure Storage vs Azure Static Web Apps (John Kilmister) - Yes both options are available.Do you know the differences?

Programming

• Easier to fix async exceptions (Mark Downie) - Debugging Asynchronous code as been always more complicated, looking forward to seeing (and using) that new capability in .NET 9.

• Simplify development with Dev Container templates for Azure SQL Database (Carlos Robles) - I love that! Instead or having multiple containers (database, dev environment) we can now have only one. No special configuration, faster into the code.

• The 3 Most Common Security Mistakes Developers Make () - This is an interesting post that shares popular mistakes yes but also some better practices accessible to all.

• How to make your web page faster before it even loads (Salma Alam-Naylor) - To make sure our users have he best experience possible it important to fine-tune some little details. This post goes deep and explains them very well.

Miscellaneous

• How to save your online writing from disappearing forever ( Barbara Krasnoff) - A series of online tools that could keep copies of the blog post you put online.

~ Frank

Reading Notes #611

Welcome to this week’s edition of Reading Notes! In this roundup, we explore a variety of topics across cloud, programming, databases, and AI. From understanding Docker’s USER instruction to styling Blazor components with CSS, I’ve got you covered. Let’s dive in!

Suggestion of the week

• Understanding the Docker USER Instruction (Jay Schmidt) - A great post to that explains really clearly the basic usage of user when building our container. After reading this post you should feel confident to follow this best practices.

Cloud

• Azure Static Web Apps–SWA CLI behind the scenes (Bart Wullems) - Cool post to that quickly explains how the CLIworks and a few different tools.

Programming

• Blazor Basics: Styling Blazor Components with CSS (Claudio Bernasconi) - That will solve an issue I was having... Blazor for the win!

• Is Your ASP.NET Core Application Running In A Container? (Adam Storr) - Very neat tip to know when the App is or not in a container.

• Setting up NGINX load balancer for .NET WebApi (Oskar Dudycz) - Very well done tutorial to set a reverse proxy.

Databases

• Automating SQL Deployments using GitHub Actions - Part 2 (Eduardo Pivaral) - That's pretty neat. Of course, there is a SQL option but I never thought about it. Excellent idea to keep everything in one place with versions.

AI

• Updated Documentation for Semantic Kernel (Sophia Lagerkrans-Pandey) - Nice update in the documentation, new content new look.

~frank

Reading Notes #610

Happy Canada Day!
It's reading notes time! It is a habit I started a long time ago, where I share a list of all the articles, blog posts, and books that catch my interest during the week.

You also read something you liked? Share it!

Cloud

• Is .NET Aspire NuGet for Cloud Service Dependencies? (Phil Haack) - I like the comparison with NuGet. Using .NET Aspire in a project does indeed simplify a lot things. I'll be waiting for that follow up post.

Programming

• Dev Home Preview v0.15 Release (Kayla Cinnamon) - Cools news updates in Dev home.

• Announcing TypeScript 5.5 - TypeScript (Daniel Rosenwasser) - Really good news for the JavaScript developers. This post shares all the new features like ECMAScript, Set Methods support, and the performance improvement included in this release candidate of Typescript.

• Refactor your code with default lambda parameters - .NET Blog (David Pine) - A really good post, last of a series of four about new features of C# 12. I really like that new way to declare defaults I think it's much clearer.

• Blazor Basics: Dealing with Complex State Scenarios (Claudio Bernasconi) - Interesting package Fluxor that help managing states. The post also explains different pros and cons of methods to maintain states.

Databases

• What is SQL Injection in Cybersecurity? How to Prevent SQLi Attacks (Jen Swisher) - This post explains what are SQL injections and how they could affect our website. When I shares how to prevent those attack the post focuses on CMS like WordPress.

AI

• Mistral Introduces AI Code Generation Model Codestral (Daniel Dominguez) - On nice! A new model that specializes into code, and many languages on top of that.

~frank

Reading Notes #607

It's reading notes time! It is a habit I started a long time ago, where I share a list of all the articles, blog posts, and books that catch my interest during the week. 

You also read something you liked? Share it!

Cloud

• Azure PostgreSQL, Entra ID Authentication and .NET | LINQ to Fail (Aaron Powell) - Great post! Of course using some identity provider is more complicated then a strait password, but it's way simpler that we may though.

• Bringing the Aspire dashboard to ACA (Mark Downie) - One of the great tool that was released with Aspire is its dashboard as it shows traces across services. This post shares how to enable this amazing tool in Azure.

• Microsoft Entra ID Tenant Starters Guide: Understanding Identity Management and Licensing (Gregor Wohlfarter) - Nice post to have an overview of this important piece of security.

Programming

• Refactor your code using alias any type - .NET Blog (David Pine) - Excellent series to learn more about recently to feature of C#.

• Blazor Basics: Child Routes & Optional Route Parameters (Claudio Bernasconi) - You know your route 101 and would like to learn more, this post is for you.

Databases

• A beginner's guide to mapping arrays in EF Core 8 - .NET Blog (Arthur Vickers) - An interesting post to that depending if your database supported features explains how EF Core could works and use arrays.

Podcasts

• The Definition of Success with author Neil Strauss (A Bit of Optimism) - For a conversation to be constructive and to learn from it not all participant needs to agree. Nice episode about success.

• 81. From APIs to natural language: The democratization of AI - with Henk Boelman (Betatalks the podcast) - Nice to listen to a colleague. Henk definitely knows the very well the topic and how to explains it clearly.

• Motivated by play (Friends) (The Changelog: Software Development, Open Source) - What a journey! Interesting episode, inspiring.

• Brady Gaster: .NET Cloud Native - Episode 295 (Azure DevOps Podcast) - Aspire, aspire, aspire, you will learn all about Aspire in this episode.

~frank

It turns out, it's not difficult to remove all passwords from our Docker Compose files

I used to hardcode my password in my demos and code samples. I know it's not a good practice, but it's just for demo purposes, it cannot be that dramatic, right? I know there are proper ways to manage sensitive information, but this is only temporary! And it must be complicated to remove all the passwords from a deployment... It turns out, IT IS NOT difficult at all, and that will prevent serious threats.

In this post, I will share how to remove all passwords from a docker-compose file using environment variables. It's quick to setup and easy to remember. For production deployment, it's better to use secrets, because environment variables will be visible in logs. That said, for demos and debugging and testing, it's nice to see those values. The code will be available on GitHub. This deployment was used for my talks during Azure Developers .NET Days: Auto-Generate and Host Data API Builder on Azure Static Web Apps and The most minimal API code of all... none

The Before Picture

For this deployment, I used a docker-compose file to deploy an SQL Server in a first container and Data API Builder (DAB) in a second one. When the database container starts, I run a script to create the database tables and populate them.

services:

  dab:
    image: "mcr.microsoft.com/azure-databases/data-api-builder:latest"
    container_name: trekapi
    restart: on-failure
    volumes:
      - "./startrek.json:/App/dab-config.json"
    ports:
      - "5000:5000"
    depends_on:
      - sqlDatabase

  sqlDatabase:
    image: mcr.microsoft.com/mssql/server
    container_name: trekdb
    hostname: sqltrek
    environment:
      ACCEPT_EULA: "Y"
      MSSQL_SA_PASSWORD: "1rootP@ssword"
    ports:
      - "1433:1433"
    volumes:
      - ./startrek.sql:/startrek.sql
    entrypoint:
      - /bin/bash
      - -c
      - |
        /opt/mssql/bin/sqlservr & sleep 30
        /opt/mssql-tools/bin/sqlcmd -U sa -P "1rootP@ssword" -d master -i /startrek.sql
        sleep infinity

As we can see, the password is in clear text twice, in the configuration of the database container and in the parameter for sqlcmd when populating the database. Same thing for the DAB configuration file. Here the data-source node where the password is in clear text in the connection string.

"data-source": {
 	"database-type": "mssql",
	"connection-string": "Server=localhost;Database=trek;User ID=sa;Password=myPassword!;",
	"options": {
		"set-session-context": false
	}
}

First Pass: Environment Variables

The easiest password instance to remove was in the sqlcmd command. When defining the container, an environment variable was used... Why not use it! To refer to an environment variable in a docker-compose file, you use the syntax $$VAR_NAME. I used the name of the environment variable MSSQL_SA_PASSWORD to replace the hardcoded password.

/opt/mssql-tools/bin/sqlcmd -U sa -P $$MSSQL_SA_PASSWORD -d master -i /startrek.sql

Second Pass: .env File

That's great but the value is still hardcoded when we assign the environment variable. Here comes the environment file. They are text files that holds the values in key-value paired style. The file is not committed to the repository, and it's used to store sensitive information. The file is read by the docker-compose and the values are injected. Here is the final docker-compose file:

services:

  dab:
    image: "mcr.microsoft.com/azure-databases/data-api-builder:latest"
    container_name: trekapi
    restart: on-failure
    env_file:
      - .env
    environment:
      MY_CONN_STRING: "Server=host.docker.internal;Initial Catalog=trek;User ID=sa;Password=${SA_PWD};TrustServerCertificate=True"
    volumes:
      - "./startrek.json:/App/dab-config.json"
    ports:
      - "5000:5000"
    depends_on:
      - sqlDatabase

  sqlDatabase:
    image: mcr.microsoft.com/mssql/server
    container_name: trekdb
    hostname: sqltrek
    environment:
      ACCEPT_EULA: "Y"
      MSSQL_SA_PASSWORD: ${SA_PWD}
    env_file:
      - .env
    ports:
      - "1433:1433"
    volumes:
      - ./startrek.sql:/startrek.sql
    entrypoint:
      - /bin/bash
      - -c
      - |
        /opt/mssql/bin/sqlservr & sleep 30
        /opt/mssql-tools/bin/sqlcmd -U sa -P $$MSSQL_SA_PASSWORD -d master -i /startrek.sql
        sleep infinity

Note the env_file directive in the services definition. The file .env is the name of the file used. The ${SA_PWD} tells docker compose to look for SA_PWD in the .env file. Here is what the file looks like:

SA_PWD=This!s@very$trongP@ssw0rd

Conclusion

Simple and quick. There are no reasons to still have the password in clear text in the docker compose files anymore. Even for a quick demo! Of course for a production deployment there are stronger ways to manage sensitive information, but for a demo it's perfect and it's secure.

During Microsoft Build Keynote on day 2, Julia Liuson and John Lambert talked about how trade actors are not only looking for the big fishes, but also looking at simple demos and old pieces of code, looking for passwords, keys and sensitive information.