#cicd-security

[ follow ]
#github-actions #secret-scanning #software-supply-chain #dependency-management #sbom #build-integrity
DevOps
fromDevOps.com
14 hours ago

CI/CD Supply Chain Security: Hardening Artifacts, Dependencies, and Delivery Pipelines - DevOps.com

CI/CD pipelines are major supply-chain attack surfaces where artifacts, dependencies, and automation create trust boundaries that must be secured at every handoff.
#github-actions
DevOps
fromInfoQ
2 weeks ago

How GitHub Is Securing Agentic Workflows in Modern CI CD Systems

GitHub secures agentic CI/CD workflows using defense-in-depth isolation, constrained permissions and outputs, and audit logging to reduce risks from non-deterministic agents.
fromMedium
8 months ago
DevOps

GitHub Actions as a Secure DevOps Orchestrator: Beyond CI/CD

Use GitHub Actions to automate SBOMs, secret scanning, CodeQL analysis, enforce compliance, and block risky deployments before production.
fromMedium
8 months ago
Information security

GitHub Actions as a Secure DevOps Orchestrator: Beyond CI/CD

GitHub Actions can serve as a security command center to automate SBOM creation, secret scanning, compliance enforcement, and to block risky deployments before production.
Information security
fromtheregister
3 days ago

TanStack weighs invitation-only pull requests after supply chain attack

A GitHub Actions misconfiguration enabled a worm to poison shared cache and extract secrets, prompting TanStack to tighten CI and consider invitation-only PRs.
DevOps
fromInfoQ
2 weeks ago

How GitHub Is Securing Agentic Workflows in Modern CI CD Systems

GitHub secures agentic CI/CD workflows using defense-in-depth isolation, constrained permissions and outputs, and audit logging to reduce risks from non-deterministic agents.
more#github-actions
Information security
fromDevOps.com
6 days ago

Widespread Mini Shai-Hulud Campaign Is a Matter of Trust - DevOps.com

Shai-Hulud attacks evolve into supply-chain playbooks that abuse trusted CI/CD publishing paths and OIDC tokens to deliver malicious packages with valid provenance.
Information security
fromtheregister
6 days ago

OpenAI caught in TanStack npm supply chain chaos after employee devices compromised

Attackers exfiltrated limited internal credentials from two employee devices, prompting OpenAI to rotate signing certificates and require software updates.
Information security
fromSecurityWeek
1 week ago

Build Application Firewalls Aim to Stop the Next Supply Chain Attack

Supply chain attacks repeatedly compromise CI/CD build processes via trusted dependencies, enabling malicious code to enter builds and deliver payloads through automation.
Information security
fromtheregister
1 week ago

Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotaged

A modified Checkmarx Jenkins AST plugin was published on the Jenkins Marketplace, and untrusted versions must be replaced with the verified release.
DevOps
fromDevOps.com
2 weeks ago

Beyond the Build: Integrating Security into CI/CD Pipelines - DevOps.com

Embedding security checks into CI/CD pipelines through DevSecOps practices enables early vulnerability detection while maintaining development velocity.
fromTechzine Global
3 months ago

Upwind raises $250 million for cloud security

Upwind focuses on securing public cloud environments with a so-called runtime-first approach. According to the company, traditional security models are increasingly out of step with modern cloud architectures, in which real-time applications and AI workloads play an increasingly important role. The CEO and co-founder argues that security should be based on what is actually happening in a cloud environment, rather than on static assumptions or snapshots.
Information security
Information security
fromThe Hacker News
4 months ago

AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks

A CodeBuild misconfiguration (CodeBreach) allowed unauthenticated attackers to hijack AWS-managed GitHub repositories, risking supply-chain and platform-wide compromise across AWS environments.
fromTheregister
4 months ago

A simple CodeBuild flaw put every AWS environment at risk

This vulnerability compromised a core library used in the AWS Console itself - the central nervous system of the cloud,
Information security
fromInfoWorld
4 months ago

From typos to takeovers: Inside the industrialization of npm supply chain attacks

A massive surge in attacks on the npm ecosystem over the past year reveals a stark shift in the software supply‑chain threat landscape. What once amounted to sloppy typosquatting attempts has evolved into coordinated, credential-driven intrusions targeting maintainers, CI pipelines, and the trusted automation that underpins modern development. For security leaders, these aren't niche developer mishaps anymore - they're a direct pathway into production systems, cloud infrastructure, and millions of downstream applications.
Information security
Information security
fromInfoWorld
5 months ago

AI in CI/CD pipelines can be tricked into behaving badly

AI agents in CI/CD pipelines can be manipulated via crafted GitHub issue or pull request text to execute high-privilege commands and disclose secrets.
Information security
fromInfoQ
5 months ago

Trust No One: Securing the Modern Software Supply Chain with Zero Trust

Apply Zero Trust principles to secure software supply chains and CI/CD pipelines by managing dependencies, enforcing controls, and embedding developer-focused security practices.
Information security
fromInfoQ
7 months ago

HashiCorp Warns Traditional Secret Scanning Tools Are Falling Behind

Traditional secret scanning tools fail to prevent secret exposure; prevention-first integration across developer tools, CI/CD pipelines, and incident response is required.
Information security
fromMedium
8 months ago

DevOps Quantum Leap: Emerging Use Cases of Quantum-Safe Cryptography

Integrate post-quantum cryptography into CI/CD pipelines now to protect secrets, keys, and infrastructure from future quantum-computer attacks.
[ Load more ]