SCM Best Practices

Do not use self-signed certificates for your SCM

A self-signed certificate requires that users (and consuming systems) reduce their trust in that system by either using special cases (installing the self-signed certificate on every consuming system) or by reducing the strength of the security of the system (skipping SSL verification, etc.).

While users are waiting for the SCM server (e.g GitHub Enterprise, Bitbucket Server, …) to have an SSL certificate issued, they should switch to use ssh based communication with the SCM server. That is done by using an ssh protocol URL to the server, rather than an https protocol URL. For example, instead of: they would use

The ssh protocol is secure and does not require that the customer install a certificate on the SCM Server.

Triggers: Polling must die

Builds Periodically triggers builds as per the schedule (every 10 minutes) even if you haven’t changed anything. Poll SCM will check for changes before triggering any build, if there are changes to the previous version there only build will be triggered.

Builds Periodically is not recommended. Then Poll SCM is not the best practice but Webhooks . Please read the post “polling must die” to have more background context.

The following articles will walk you through WebHooks:

Have more questions? Submit a request


Please sign in to leave a comment.