GitHub Actions Org-Level OIDC for Dependabot and Code Scanning: A Practical Rollout Model
A production rollout playbook for adopting organization-level OIDC in Dependabot and code scanning without breaking developer throughput.
#supply-chain
39 articlesGitHub Actions 2026 Security Lanes: Dependency Locking, Egress Firewalls, and OIDC Claim Design
How to operationalize the new GitHub Actions security direction with policy lanes, staged enforcement, and measurable rollout outcomes.
Secure-by-Default AI Delivery: OIDC, Code Scanning Issue Flows, and Dependency Trust Boundaries
A concrete pipeline design that combines OIDC-based package access, code scanning triage, and supply-chain containment.
GitHub OIDC for Dependabot and Code Scanning: Ending Long-Lived Registry Secrets in CI
A practical migration guide to OIDC-based authentication for private registries used by Dependabot and code scanning, with policy and incident-response patterns.
GitHub OIDC for Dependabot and Code Scanning: Building a Zero-Secret Security Pipeline
How to redesign CI security architecture now that Dependabot and code scanning can use OIDC with private registries at org scale.
From Secret Alerts to Action: Enterprise Remediation with Deployment Context
Using GitHub secret scanning improvements and deployment context metadata to prioritize, route, and close security incidents faster.
Dependabot Alerts + AI Coding Agents: Designing a Governed Remediation Pipeline for Real Repos
How to operationalize GitHub’s new AI-agent assignment for Dependabot alerts with review gates, reproducibility, and measurable risk reduction.
Dependabot + AI Remediation + Nix: Building a Verifiable Vulnerability Response Pipeline
A practical enterprise architecture for combining Dependabot alerts, AI-assisted remediation, and Nix ecosystem support with auditable controls.
Signed Commits for Copilot Cloud Agent: What It Unlocks for Branch Protection
GitHub Copilot cloud agent commit signing enables stronger branch protection and clearer provenance for agent-generated changes.
Leaked Agent Code and Mass Takedowns: A Governance Playbook for Engineering Leaders
Recent large-scale DMCA removals around leaked AI coding tools show why enterprises need repository containment, legal automation, and developer trust practices.
Rising Memory Demand and AI PCs: A Procurement Strategy for 2026 Refresh Cycles
How IT and finance teams should redesign endpoint procurement as memory pricing, local AI workloads, and lifecycle risk converge.
Axios NPM Compromise: An Enterprise Response Blueprint Beyond Emergency Pinning
How to convert package compromise incidents into durable supply-chain controls, from blast-radius mapping to policy-driven dependency workflows.
Axios NPM Compromise Lessons: Transitive Dependency Risk Governance for 2026
A response framework for handling package compromise events with rapid containment, provenance checks, and policy hardening.
When the LLM Gateway Is Compromised: Enterprise Incident Response After LiteLLM-Type Events
A containment and recovery architecture for organizations relying on shared model gateways in production.
GitHub Artifact Attestations: A Practical SLSA Rollout Playbook for Enterprise CI/CD
How to deploy artifact attestations across GitHub Actions with phased policy enforcement, provenance audits, and exception workflows.
LiteLLM Supply Chain Incident: A Response Blueprint for AI Dependency Security
After reports of compromised LiteLLM package versions, here is a practical response model for engineering, security, and platform teams.
GitHub Actions Hardening in 2026: Allowlisting, OIDC, and Incident-Ready Pipelines
A practical security blueprint for CI/CD after recent workflow compromises: action allowlists, ephemeral credentials, and containment drills.
GitHub OIDC Custom Properties + Copilot Agent Controls: Enterprise Governance Pattern for 2026
How to combine new OIDC claims and Copilot repository-access controls to harden CI/CD identity and agent operations without slowing teams down.
LiteLLM Compromise Wake-Up Call: Supply-Chain Response Playbook for AI Dev Stacks
How to respond when a popular AI dependency is compromised, and how to redesign package governance to prevent repeat blast-radius events.
When AI Tooling Gets Hijacked: Supply-Chain Defense for Python LLM Stacks
A response playbook for engineering teams after package compromise incidents in widely used AI infrastructure libraries.
When CI Tags Are Compromised: A GitHub Actions Supply Chain Response Playbook
A concrete incident response model for workflow tag compromise, secret exposure risk, and trust restoration in CI pipelines.
Invisible Code and AI Coding Supply Chains: A Defensive Engineering Playbook
How engineering organizations can defend against hidden-code and package supply-chain abuse in AI-assisted development workflows.
Invisible Code Attacks (GlassWorm) and JavaScript Supply Chain Defense in 2026
A practical defense strategy for npm/GitHub ecosystems against obfuscated Unicode and hidden control-character attacks in package and CI pipelines.
Invisible Code in npm: A Supply Chain Response Playbook for Engineering Teams
Operational guidance for invisible code in npm: a supply chain response playbook for engineering teams in enterprise engineering organizations.
Secret Scanning Pattern Deltas: How to Operationalize Monthly Detector Expansions
Monthly detector updates are now large enough to require an explicit operating model. Here is a practical blueprint for security and platform teams.
AI Coding Agents at Scale: Governance Patterns for Quality, Security, and Legal Exposure
A practical framework for organizations expanding coding-agent usage while managing output quality, security controls, and emerging legal conflicts.
Turn Monthly Secret Scanning Pattern Updates into a Security Operating Model
How to operationalize monthly pattern updates from GitHub Secret Scanning with triage automation, ownership, and measurable response quality.
Turning Monthly Secret Scanning Pattern Updates into a Repeatable Security Control
How to operationalize GitHub secret scanning pattern updates as monthly security deltas with measurable exposure reduction.
Backdoored OSS and Coding Agents: Defense Drills Every Engineering Team Should Run
A practical drill program for testing whether coding-agent workflows can resist malicious open-source suggestions.
Coding Agents Need Open Source Trust Boundaries, Not Blind Speed
Backdoored package incidents show that agent-assisted development requires explicit trust zones, verification gates, and rollback discipline.
Secret Scanning Pattern Updates: Turning Signature Releases into an Operations Loop
How to convert monthly secret scanning pattern updates into measurable exposure reduction and faster response.
From Pattern Updates to Incident Readiness: Operating Secret Scanning as a Continuous Program
A practical operating model for turning monthly secret-scanning pattern updates into measurable risk reduction.
Defending AI Code Review Against Backdoored Dependencies
A pipeline design that prevents AI-assisted coding and review flows from blindly importing malicious open-source patterns.
AI Coding Agents and Supply-Chain Safety: A Playbook After Real-World Close Calls
How to prevent backdoored dependencies and destructive automation behaviors in AI-assisted development workflows.
Dependabot + Pre-commit Hooks: Building a Policy-First Dependency Update Pipeline
How to combine new Dependabot pre-commit support with policy-as-code to reduce noisy update PRs and improve supply-chain confidence.
Backdoored OSS and Agentic Development: A Defensive Operating Model
Practical controls to reduce supply-chain risk when coding agents ingest third-party repositories and snippets.
Prompt Injection Red Teaming for Coding Agents: A Practical Playbook
How engineering teams can test whether coding assistants leak secrets, follow poisoned instructions, or break trust boundaries.
Secure Coding Agent Rollout: Prompt-Injection Controls That Actually Work
A deployment blueprint for protecting secrets, repositories, and review workflows when adopting coding agents at scale.
Prompt Injection and Secret Exposure in Coding Agents: A Practical Defense Playbook
Recent community experiments underscore an urgent reality: agentic coding workflows need explicit secret and context boundaries.