Tag: Software Supply Chain
Shift Left to the Developer’s Machine: Building Local Git Security GatesÂ
Arun Sanna | | CI/CD security, code security, Credential Leakage, Defense in Depth, developer experience, Developer Security, devsecops, Git Hooks, Git Security, GitLeaks, Open Source Security Tools, Pre-Commit Hooks, secret detection, secrets management, shift left security, Software Supply Chain, static analysis, supply chain security, vulnerability scanningShift left to the developer's machine. The principle is what matters: Stop secrets before they ship. The tooling is a means to that end. ...
The Silent Risk of AI-Written DevOps Pipelines
Sannan Ali | | AI-generated DevOps pipelines, CI/CD, devsecops, pipeline security, Software Supply ChainThese days, when a developer needs a CI/CD pipeline, they don’t always dive into GitHub Actions docs or spin up Jenkins from scratch. Instead, they pull up an AI assistant and type ...
1Password Allies With OpenAI to Secure Codex AI Coding Tool
Mike Vizard | | AI coding tools, credential security, devsecops, just-in-time credentials, MCP Server, Model Context Protocol, secrets management, Software Supply ChainDevSecOps teams can now manage coding agents as a tenant rather than another vault where secrets might be stored, ensuring credentials are never exposed to an AI agent or LLM as plain ...
Open Source Contribution is About More Than Just AltruismÂ
Laura Czajkowski | | community engagement, Linux Foundation, open source ROI, open source software, private forks, Software Supply Chain, technical debt, upstream contributionPassive consumption of open source software creates hidden costs, including $670,000 annually in internal workarounds; however, organizations that shift to upstream contribution report up to 5x returns through improved talent retention and ...
AI-Generated Apps Without DevOps: A Security Disaster Waiting to Happen
Sannan Ali | | AI coding assistants, application security, CI/CD security, devops, Software Supply ChainA small internal tool was built over a weekend. An engineer used an AI coding assistant to generate most of the backend. A simple interface was added, a few API calls were ...
GitHub Adds 37 New Secret Detectors in March, Extends Scanning to AI Coding Agents
Tom Smith | | AI coding agents, automated remediation, Credential Leakage, DeepSeek, devops security, GitHub MCP Server, GitHub Secret Scanning, LangChain, Push Protection, secret detection, Snowflake, Software Supply Chain, Token Validity Checks, VercelGitHub's March 2026 updates introduce secret scanning for AI agents via MCP, 37 new detectors, and expanded push protection. Learn how to secure AI-generated code ...
The Risk Profile of AI-Driven DevelopmentÂ
Ilkka Turunen | | AI-generated code, AIBOM, autonomous development, autonomous security, challenge bottleneck, CI CD gating, cloud-native security, Dependency Management, GRC engineering, hallucinations, IDE controls, license compliance, machine speed enforcement, OpenSSF Gemara, Outdated Dependencies, policy based dependency selection, prompt level governance, review bottleneck, runtime transparency, SBoM, secure by default, shift left security, Software Supply Chain, threat modeling, transitive dependencies, trusted registries, typosquattingAnalysis arguing that AI-driven code generation accelerates dependency decisions and expands supply-chain risk, requiring shift-left governance, prompt-level controls, automated SBOM/AIBOM visibility, threat-modeling as engineering, and autonomous security to match autonomous development ...
Eclipse Foundation Extends Scope and Reach of Open VSX Registry
Mike Vizard | | AI coding tools, application development, AWS, developer tools, digital sovereignty, encryption, exposed credentials, extension name spoofing, funding model, malicious pattern detection, multi-region architecture, namespace impersonation, rate limiting, security infrastructure, software security, Software Supply Chain, trusted environments.The Eclipse Foundation launches a new framework for the Open VSX Registry, enhancing security features and transitioning to a hybrid architecture. With support from AI tool provider Cursor, this initiative aims to ...
AWS CodeBuild Webhook Misconfiguration Exposed Admin Access Risk
Tom Smith | | AWS CodeBuild, AWS open source, build pipeline security, CI/CD security, devops security, GitHub security, regex security, Software Supply Chain, webhook misconfiguration, Wiz ResearchAWS fixed webhook filter misconfigurations in CodeBuild that could have allowed unauthorized repository access. No customer impact or malicious code found ...
Codenotary’s Free SBOM Service Tackles the AI Software Supply Chain
Just because AI is writing your code doesn't mean you can stop worrying about software bills of materials. While the quality of AI coding remains open to debate, there's no question that ...
Legit Security AI Tool Uses Threat Feed to Identify Risks to Software Supply Chain
Legit Security this week added a threat feed that DevSecOps teams can use to instantly determine if a newly discovered vulnerability impacts their software supply chain. Built using the Legit VibeGuard tool, ...
Worms in the Supply Chain: Shai-Hulud and the Next DevOps Reckoning
Jenn Yarnold | | artifact provenance, CI/CD security, continuous verification, credential theft, devops security, devsecops, GitHub tokens, npm malware, OIDC, pipeline security, SBoM, Secure software delivery, Shai-Hulud worm, short-lived tokens, Software Supply Chain, supply chain attackDevOps was supposed to make software delivery faster, safer and more reliable. For the most part, it has. But every so often, something nasty crawls out of the shadows and reminds us ...
