security

Most teams have no idea what their CI runners connect to during a build. Packages get installed, scripts run, network calls go out — and none of it is logged. That is a real blind spot. Harden-Runner from StepSecurity is a GitHub Action that monitors and optionally blocks outbound network connections at the runner level, in real time. Think of it as an EDR for your CI pipeline. It caught the axios supply chain attack in real time — any connection to sfrclak....

Claude Code is a powerful local agent. By default it can read most files on your machine. Here is how to lock it down and extend it for your workflow. Block access to credential files Put this in your global Claude settings at ~/.claude/settings.json. Claude will refuse to read any of these paths — even if you accidentally ask it to. { "permissions": { "deny": [ "Read(~/.aws/**)", "Read(~/.config/gcloud/**)", "Read(~/.azure/**)", "Read(~/....

npm min-release-age Use npm ci, not npm install Hardening GitHub Actions Summary In late March 2026, compromised axios builds briefly appeared on the npm registry (for example 1.14.1 and 0.30.4 on affected release lines). Attackers added a malicious dependency and used lifecycle scripts so a npm install could pull down far more than an HTTP client — a pattern we have seen before in registry incidents, not a bug in axios’ normal code....

Click to enlarge GuardDuty screams about a phishing domain. The node looks fine — no malware, no stolen creds. Often the real story is simpler: your app looked up a URL someone pasted in a message, and that hostname is on a threat list. The alert is still “true” (DNS to a bad name happened), but it is not a hacked cluster. The uncomfortable part: if you resolve or fetch any user URL with no checks, you also open the door to SSRF — for example a link to 169....

AWS Certificate Manager (ACM) now supports automated certificate management for Kubernetes workloads through AWS Controllers for Kubernetes (ACK). Previously, using ACM certificates in Kubernetes required manual steps: exporting certificates via API, creating Kubernetes Secrets, and manually updating them at renewal. With ACK, you can define certificates as Kubernetes resources, and the controller automates the complete lifecycle - requesting, exporting, creating Secrets, and auto-updating at renewal. This works for both public certificates (ACM exportable certificates) and private certificates (AWS Private CA), enabling automated certificate management for:...

Managing Terraform state securely is one of those things that seems simple until you’re dealing with hundreds of accounts and thousands of resources. Cloudflare, being their own Customer Zero, had to solve this problem at enterprise scale. The interesting part? They built a custom solution called tfstate-butler - a Go program that acts as an HTTP backend for Terraform state storage. The Security Problem When you’re managing infrastructure at Cloudflare’s scale, a single compromised state file could be catastrophic....