#cicd-security

[ follow ]
#github-actions #secret-scanning #sbom #dependency-management #supply-chain-attack #software-supply-chain
Information security
fromSecurityWeek
2 days ago

Build Application Firewalls Aim to Stop the Next Supply Chain Attack

Supply chain attacks repeatedly compromise CI/CD build processes via trusted dependencies, enabling malicious code to enter builds and deliver payloads through automation.
Information security
fromtheregister
2 days ago

Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotaged

A modified Checkmarx Jenkins AST plugin was published on the Jenkins Marketplace, and untrusted versions must be replaced with the verified release.
#github-actions
DevOps
fromInfoQ
5 days ago

How GitHub Is Securing Agentic Workflows in Modern CI CD Systems

GitHub secures agentic CI/CD workflows using defense-in-depth isolation, constrained permissions and outputs, and audit logging to reduce risks from non-deterministic agents.
fromMedium
7 months ago
Information security

GitHub Actions as a Secure DevOps Orchestrator: Beyond CI/CD

GitHub Actions can serve as a security command center to automate SBOM creation, secret scanning, compliance enforcement, and to block risky deployments before production.
fromInfoQ
1 year ago
DevOps

Compromised GitHub Action Highlights Risks in CI/CD Supply Chains

A popular GitHub Action was compromised, exposing critical security weaknesses in the CI/CD pipeline of open-source Actions.
DevOps
fromInfoQ
5 days ago

How GitHub Is Securing Agentic Workflows in Modern CI CD Systems

GitHub secures agentic CI/CD workflows using defense-in-depth isolation, constrained permissions and outputs, and audit logging to reduce risks from non-deterministic agents.
more#github-actions
DevOps
fromDevOps.com
5 days ago

Beyond the Build: Integrating Security into CI/CD Pipelines - DevOps.com

Embedding security checks into CI/CD pipelines through DevSecOps practices enables early vulnerability detection while maintaining development velocity.
fromTechzine Global
3 months ago

Upwind raises $250 million for cloud security

Upwind focuses on securing public cloud environments with a so-called runtime-first approach. According to the company, traditional security models are increasingly out of step with modern cloud architectures, in which real-time applications and AI workloads play an increasingly important role. The CEO and co-founder argues that security should be based on what is actually happening in a cloud environment, rather than on static assumptions or snapshots.
Information security
Information security
fromThe Hacker News
3 months ago

AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks

A CodeBuild misconfiguration (CodeBreach) allowed unauthenticated attackers to hijack AWS-managed GitHub repositories, risking supply-chain and platform-wide compromise across AWS environments.
fromTheregister
3 months ago

A simple CodeBuild flaw put every AWS environment at risk

This vulnerability compromised a core library used in the AWS Console itself - the central nervous system of the cloud,
Information security
fromInfoWorld
3 months ago

From typos to takeovers: Inside the industrialization of npm supply chain attacks

A massive surge in attacks on the npm ecosystem over the past year reveals a stark shift in the software supply‑chain threat landscape. What once amounted to sloppy typosquatting attempts has evolved into coordinated, credential-driven intrusions targeting maintainers, CI pipelines, and the trusted automation that underpins modern development. For security leaders, these aren't niche developer mishaps anymore - they're a direct pathway into production systems, cloud infrastructure, and millions of downstream applications.
Information security
Information security
fromInfoWorld
5 months ago

AI in CI/CD pipelines can be tricked into behaving badly

AI agents in CI/CD pipelines can be manipulated via crafted GitHub issue or pull request text to execute high-privilege commands and disclose secrets.
Information security
fromInfoQ
5 months ago

Trust No One: Securing the Modern Software Supply Chain with Zero Trust

Apply Zero Trust principles to secure software supply chains and CI/CD pipelines by managing dependencies, enforcing controls, and embedding developer-focused security practices.
Information security
fromInfoQ
6 months ago

HashiCorp Warns Traditional Secret Scanning Tools Are Falling Behind

Traditional secret scanning tools fail to prevent secret exposure; prevention-first integration across developer tools, CI/CD pipelines, and incident response is required.
Information security
fromMedium
7 months ago

DevOps Quantum Leap: Emerging Use Cases of Quantum-Safe Cryptography

Integrate post-quantum cryptography into CI/CD pipelines now to protect secrets, keys, and infrastructure from future quantum-computer attacks.
[ Load more ]