경고: Trivy 공격보다 심각 — GitHub 상위 50K 인기 레포를 스캔한 결과 20,265개가 유사 취약점에 노출. CI/CD 취약점 192,776건, 5.9억+ 하위 포크 영향, 별 50K 이상 레포의 68%가 취약. tj-actions는 PoC, Trivy는 확산. Vigilant Defense가 액션·glassworm 벡터를 찾는 오픈소스 스캐너 Runner Guard 공개(설치: brew). 즉시 스캔·수정 권고. (이미지 포함)

https://x.com/vigilance_one/status/2036581210663616729

#cicdsecurity #supplychainsecurity #devsecops #githubactions #opensource

Wiz Research disclosed CodeBreach, a CI/CD supply-chain risk caused by misconfigured CodeBuild pipelines in select AWS GitHub repositories.

Key takeaways for security teams:
• Misconfiguration, not service vulnerability
• CI credentials in memory remain a high-value target
• Untrusted PRs triggering privileged builds is still a common weakness

AWS remediated the issue, added approval gates, and audited public build environments, but the pattern mirrors recent supply-chain incidents across the industry.

Source: https://www.wiz.io/blog/wiz-research-codebreach-vulnerability-aws-codebuild

How mature is CI/CD threat modeling in your environment today?

Share insights and follow @technadu for objective, technical reporting.

#InfoSec #CICDSecurity #SupplyChain #ThreatModeling #CloudSecurity #TechNadu

⚠️ Threat alert: AI-generated code is overwhelming software supply chains 🤯📦

Three vendors — Endor Labs, Lineaje, and Cycode — are responding with agentic AI tools that move AppSec from detection to autonomous action.

🧠 New capabilities include:
🔹 Reviewing and remediating pull requests with security context
🔹 Explaining vulnerabilities in plain English
🔹 Automatically fixing risks in containers and source code
🔹 Monitoring CI/CD memory for secrets theft
🔹 Mapping risk across entire dev pipelines

💡 What leaders need to consider:
• AI agents must be trained, governed, and secured — like any supply chain actor
• Tools should integrate at the code level, not just report level
• Runtime guardrails, policy engines, and visibility are non-negotiable

We're past “SBOMs only” — software supply chain security is now a full-stack discipline, and agentic AI is driving that shift.

#CyberSecurity #SupplyChainSecurity #AI #DevSecOps #AgenticAI #AppSec #CICDSecurity

https://www.techtarget.com/searchitoperations/news/366623140/Software-supply-chain-security-AI-agents-take-action

Understanding the GitHub Action Supply Chain Attack

https://thedefendopsdiaries.com/understanding-the-github-action-supply-chain-attack/

#github
#supplychainattack
#cicdsecurity
#cybersecurity
#devsecops

Enhancing GitHub Actions Security: Strategies and Insights

https://thedefendopsdiaries.com/enhancing-github-actions-security-strategies-and-insights/

#githubactionssecurity
#cicdsecurity
#supplychainattack
#devsecops
#githubsecurity

Strengthening CI/CD Security: Lessons from the tj-actions Supply Chain Attack

https://thedefendopsdiaries.com/strengthening-cicd-security-lessons-from-the-tj-actions-supply-chain-attack/

#cicdsecurity
#supplychainattack
#zerotrust
#devsecops
#githubactions

Hijacking Cloud CI/CD Systems for Fun and Profit: https://divyanshu-mehta.gitbook.io/researchs/hijacking-cloud-ci-cd-systems-for-fun-and-profit

#cicdSecurity #github #supplychainattacks #gcp #azure #aws

Why is anyone still using #circleci? This latest breach has happened at least once before. With the big cloud vendors all having perfectly serviceable CI/CD tooling on their platforms, and with alternatives like BuildKite, which use your own infrastructure to run the agents, why on earth would you hand over your secrets like this?

https://newsletter.pragmaticengineer.com/p/circlecis-unnoticed-holiday-security

#CyberSecuriy #infosec #cicd #cicdsecurity

Today from the Wiz Academy - Managing Supply Chain risks in CI/CD Pipelines.

https://www.wiz.io/academy/managing-supply-chain-risks-in-ci-cd-pipelines

#cybersecurity #cloudsecurity #cicdSecurity #devsecops