AI coding agents are reshaping software development—but they’re also expanding the attack surface. Researchers uncovered a now-patched vulnerability in Anthropic’s Claude Code GitHub Action that could have enabled prompt injection attacks to expose CI/CD secrets, API keys, and credentials. As AI agents gain autonomy in development workflows, organizations must treat untrusted inputs as hostile…
This article examines how a Carbon-Aware DevOps strategy can help optimize CI/CD pipelines for sustainability by reducing their carbon footprint while also decreasing costs and meeting the increasing demand for innovative, eco-friendly solutions.
As AI speeds up software delivery, the real bottleneck isn’t scanning or CI. It’s how safely and predictably change moves across tools, teams, and companies. Something strange is happening in DevOps right now. AI copilots are writing code, generating tests, triaging incidents, and even summarizing pull requests before a human looks at them. The tooling […]
Open source software developers continue to come under attack, with the latest threat being a custom malware that shares many of the attributes of the notorious Shai-Hulud self-propagating worm but comes with functions that make it more difficult for defenders to detect and to reverse engineer. Dubbed “IronWorm,” the infostealer is built in the Rust […]
The software development tools you choose shape your CI/CD pipeline reliability in ways that only surface months later. Learn what to evaluate before adoption.
These days, when a developer needs a CI/CD pipeline, they don’t always dive into GitHub Actions docs or spin up Jenkins from scratch. Instead, they pull up an AI assistant and type out something like: “Create a deployment pipeline for a containerized application.” Seconds later, the AI spits out a complete workflow. It looks polished. […]
For most of the past decade, the conversation around regression testing tools was fairly stable. The tools got faster, the integrations got smoother, and the underlying approach stayed largely the same: write tests, run them in CI, fix failures. The fundamental model did not change much because the problem did not change much. AI-assisted development […]
The threat group behind the notorious Mini Shai-Hulud worm last month put the complete source code for the malware into a GitHub repository, essentially open sourcing the threat so that other bad actors can create their own variants. GitHub reportedly took down the repository shortly after it appeared, but the damage was already done, with […]
Postman added an artificial intelligence (AI) agent to its portfolio of tools and platforms for building and governing application programming interfaces (APIs) that can autonomously perform tasks ranging from development and documentation to exploration and setting up integrations with continuous integration/continuous deployment (CI/CD) environments. Company CEO Abhinav Asthana said the AI…
CI/CD has become a standard tool in every modern software developers day to day experience. We demand a lot from our CI/CD systems! and our software is all the better for it. But I think a lot of us have a slightly under-principled way of talking and thinking about it. Specifically I want to talk about how we tend to lump two very different types of tasks under the banner of "tests" or sometimes…
Sol Duara, a provider of open source platforms for managing the software development lifecycle (SDLC), has announced its intent to contribute an open source orchestration platform for automating software development workflows to the Continuous Delivery (CD) Foundation. At the core of the Conduit platform from Sol Duara is CDrus Expressions, a framework that turns CDEvents […]
The moment you push your code, deployment fires off on its own. The pipeline kicks in, the tests sail through, and within a few minutes your app is live in production. There is no manual sign-off and no one scanning through the final changes. Everything is running on the decisions of an AI agent plugged […]
By embedding AI-powered guardrails directly into CI/CD pipelines, organizations can detect vulnerabilities earlier, enforce security policies automatically and accelerate secure software delivery.
This is where smart KYC enforcement layers fit in — not a compliance box, but an engineering control that is directly part of DevOps processes.
Modern CI/CD pipelines have become one of the most attractive attack surfaces in enterprise environments. As organizations push for faster releases, broader automation, and greater reuse of third-party components, the software supply chain has quietly expanded beyond the direct control of any single team. Source code is only one small piece of what ultimately runs in […]
DevOps practices have fundamentally changed how software is delivered, operated, and improved. At their heart, DevOps methodologies seek to unify development and operations, enabling teams to ship changes more quickly while maintaining system reliability. The discipline has grown beyond simple CI/CD automation to encompass culture, observability, and intelligent workflows. As organizations scale,…
A survey of 213 IT leaders, conducted by CloudBees, finds that while 93% report they are seeing productivity gains that are driven by increased adoption of artificial intelligence (AI) tools, a full 81% also report they have seen an increase in production issues attributable to AI-generated code. Shared this week at an Agentic DevOps World […]
Faced with the growing volume of submission to its bug bounty program, GitHub is replacing cash bounties with swag rewards for reports with low security impact — and asking researchers to stop submitting reports that are low quality or about things that aren’t its fault.
The cloud-based code repository platform has seen a sharp increase in submissions that don’t demonstrate real security impact…
GitHub has launched a standalone Copilot desktop app in technical preview, moving beyond the IDE to introduce a dedicated cockpit for agentic development. The app enables developers to manage parallel, isolated agent sessions directly from GitHub issues, while introducing "Agent Merge"—a feature that autonomously fixes CI failures and handles code reviews to streamline the entire PR lifecycle.
CI/CD was built around a comforting idea: Software should do tomorrow what it did today, assuming the inputs are the same. That assumption sits underneath a lot of modern DevOps. It is why we have build pipelines, test suites, artifact repositories, deployment gates, rollback strategies, infrastructure-as-code and all the other machinery that turned software delivery […]
Today’s business world operates in a state of constant change. What the customer wants to buy changes quickly, new competitors appear overnight, and cyber threats are changing faster than ever. In this world, the concept of “resilience,” the ability to adapt, to overcome, and to continue to create value for the enterprise despite the changes, […]
The latest series of attacks using the notorious Shai-Hulud worm puts into sharp focus the threats facing software developers and their CI/CD pipelines, an issue that has been raised in recent months as bad actors increasingly turn their attention to DevOps environments. That said, these most recent Shai-Hulud incidents attributed to the TeamPCP group also […]
A deployment starts failing late on a Friday evening. The initial assumption is that something changed in the application release. Teams start checking container images, Terraform plans and recent commits. Nothing looks wrong. A few hours later, someone discovers the actual issue: a deployment token tied to an old automation workflow expired months ago. The […]
BuildKit is the modern build backend for Docker and the OCI ecosystem. It replaces the original Docker builder with a concurrent, cache-aware engine that builds OCI images from Dockerfiles much faster and with finer control.
Key capabilities
A pipeline is the automated sequence of stages a code change passes through on its way from a developer's commit to production. Modern CI/CD pipelines codify build, test, security scan, package, and deploy steps so every change moves through the same checks in the same order.
Typical stages
A feature flag (also called a feature toggle) is a runtime switch that turns a code path on or off without deploying new code. Flags let teams decouple deploy from release, ship dark, run experiments, and roll back broken features without rolling back binaries.
Common kinds of flags
Canary Deployment is a release strategy that routes a small fraction of traffic to a new version first, observes its behaviour against the old version, and gradually expands the new version's share if metrics stay healthy. The name comes from "canary in a coal mine": the small early group surfaces problems before the rest of the population is exposed.
How it works
Blue-Green Deployment is a release strategy that maintains two identical production environments and switches all traffic from one to the other when a new version is ready. The currently live environment is "blue"; the new version is staged in "green"; when green is verified, a single traffic switch makes green live and blue idle (and available as instant rollback).
How it works
Two complete…
ArgoCD is an open-source declarative continuous-delivery tool for Kubernetes that runs inside the cluster and applies manifests from a Git repository. It is the most widely deployed GitOps controller in the Kubernetes ecosystem.
How it works
An Application object in ArgoCD points at a Git repo, a path inside it, and a target cluster and namespace. ArgoCD continuously compares the manifests in…
GitOps is an operational pattern in which the desired state of infrastructure and applications is declared in a Git repository, and an automated controller continuously reconciles the running system toward that state. Git becomes the source of truth; deployments happen by merging pull requests, not by running ad-hoc commands.
Core principles