All CosmicBytez Labs articles tagged #DevSecOps, across news, security advisories, how-to guides, and projects.
Software supply chain security was already complex. Now that AI coding assistants are writing production code, security teams face new questions about...
AI-assisted code generation has collapsed the time between idea and deployment, but security review cycles have not kept pace. The gap between how fast...
Aggregate, deduplicate, and track security findings from 100+ scanners in a unified dashboard. Build a production-grade vulnerability management pipeline...
The Open Source Sustainability Initiative launches to help enterprises manage and secure aging open source projects, addressing the growing compliance and...
Novee Security researchers have identified a critical exploitable CI/CD workflow pattern dubbed Cordyceps that enables attackers to hijack GitHub Actions...
Security researchers have disclosed a class of exploitable flaws in CI/CD pipeline configurations that allow unauthenticated attackers to take full...
AI agents can access databases, trigger workflows, deploy code, and interact with critical business systems — often with little oversight. Token Security...
TeamPCP's remarkable success attacking open-source software was no accident — it exploited a cultural vulnerability baked into modern development: the...
A leaked GitHub token at Novo Nordisk has exposed a fundamental flaw in how organizations approach secrets management — treating it as a tooling problem...
A practical, step-by-step guide to hardening Docker deployments — from non-root users and read-only filesystems to capability drops, resource limits, and...
OWASP has launched CVE Lite CLI, a free open-source command line tool that scans software projects in seconds to identify packages with known CVE…
DockSec, an OWASP incubator project, combines multiple container security scanners with AI-generated plain-English remediation guidance and exact Dockerfile.
Cybersecurity researchers have uncovered Megalodon, an automated attack campaign that pushed 5,718 malicious commits to over 5,500 GitHub repositories in...
Adversaries are increasingly weaponizing CI/CD pipelines as a living-off-the-land vector — abusing trusted build infrastructure to execute attacks without...
A new class of security tooling called Build Application Firewalls inspects runtime behavior inside software build pipelines rather than just scanning...
The rebuilt Chainguard Factory platform adds deeper security automation designed to continuously reconcile open source artifacts across containers,...
The accidental exposure of Anthropic's Claude Code source code via an npm packaging error is the latest reminder that software supply chains need...
Cisco has suffered a major cyberattack after threat actors leveraged stolen credentials from the recent Trivy supply chain compromise to breach its...
GitGuardian's State of Secrets Sprawl 2026 report found 29 million new hardcoded secrets in public GitHub repositories in 2025 alone — a 34%...
Learn how to use Trivy to scan container images, Dockerfiles, Kubernetes manifests, and Terraform for vulnerabilities and misconfigurations — then...
Deploy and configure HashiCorp Vault to securely store, rotate, and audit secrets across your infrastructure — covering installation, auth methods,...
Step-by-step guide to deploying Falco as a Kubernetes runtime security engine. Covers Helm installation, custom rule authoring, Falcosidekick alerting...
Betterleaks is a new open-source tool that scans directories, files, and git repositories for valid secrets — and validates them against live APIs before...
Deploy HashiCorp Vault to centrally manage secrets, certificates, and dynamic credentials — eliminating hardcoded passwords from your infrastructure with...
Build guardrails around AI-generated code with Claude Code hooks, security-scanning agents, OWASP-aware prompting, and automated secret detection. A...
Pre-deployment checklist for launching new applications into production — security review gates, monitoring setup, rollback procedures, dependency...
Harden your CI/CD pipeline by replacing long-lived secrets with OIDC short-lived tokens, pinning third-party actions to commit SHAs, enforcing...
Learn essential Docker security practices including image scanning, runtime protection, network isolation, and secrets management for production environments.