Skip to main content

Posts

Critical Microsoft GitHub Flaw Highlights Dangers to CI/CD Pipelines: Tenable

A critical vulnerability in a popular Microsoft GitHub repository could allow a threat actor to easily exploit its CI/CD infrastructure to run arbitrary code in the repository and gain access to secrets, according to researchers with cybersecurity firm Tenable. In an advisory issued April 21, Rémy Marot, staff research engineer at Tenable, wrote that “by exploiting this vulnerability, an attacker with an unprivileged GitHub account could exfiltrate secrets available to the workflow run and perform unauthorized operations on the target GitHub repository.” The security flaw can be easily exploited, and illustrates the growing security risks as CI/CD pipelines play an increasingly central role in the software development field, according to Marot. He found that the Microsoft GitHub repository was using a vulnerable GitHub workflow that allowed any GitHub user to set off remote code execution (RCE) in the GitHub runner. Through this, the bad actor could gain access to a token that l...
Post a Comment
Read more
Recent posts

DevOps Experience 2026: The DevOps Community Confronts the Agentic AI Race

Agentic AI is rapidly entering DevOps pipelines, platform engineering platforms and cloud-native infrastructure. DevOps Experience 2026 brings the community together to decide which tools matter, how they should be governed and what comes next. The DevOps ecosystem is entering one of its most consequential transitions since the rise of CI/CD. Across the industry, vendors are racing to introduce agentic AI systems designed to automate DevOps workflows. These systems promise to assist with everything from pipeline orchestration and incident response to infrastructure management and security remediation. The promise is compelling: faster delivery, less operational toil and smarter automation. But alongside that promise comes a new set of questions DevOps teams are now actively trying to answer. Which agentic AI tools should we trust in our pipelines? What decisions should those agents actually be allowed to make? How do we monitor and govern systems that can operate autonomousl...
Post a Comment
Read more

Eclipse Foundation Unfurls Managed VSX Registry Service

The Eclipse Foundation today announced it will make available a managed instance of the Open VSX Registry available to industry partners for a fee. Thabang Mashologu, chief marketing officer and head of products at the Eclipse Foundation, said the Open VSX Managed Registry provides an economically sustainable approach to providing access to a registry that is now widely invoked within application development workflows that incorporate tools based on open source VS Code. Initial customers of the Open VSX Managed Registry include Amazon Web Services (AWS), Google, and Cursor, which will continue to incorporate the registry in the services they provide application developers. That approach provides a means to support application development teams using those tools without requiring them to sign up for an additional service provided by the Eclipse Foundation. That registry maintained by the Eclipse Foundation has been consuming significant infrastructure resources as more AI coding to...
Post a Comment
Read more

Grafana Labs Extends Observability Reach Deeper Into AI

Grafana Labs today at its GrafanaCON 2026 conference revealed it has extended its artificial intelligence (AI) agent to its cloud-based observability platform while at the same time previewing a platform for observing AI applications and an open source framework for evaluating AI agents. At the same time, the company announced it has developed an instance of the OpenTelemetry tools for collecting telemetry data that in addition to improving support for Kubernetes clusters, can be installed with a single command in Linux environments. Additionally, the company also unfurled Grafana 13, an update to the company’s core visualization software that adds pre-built and suggested dashboards that dynamically adapt to different use cases, layout templates, guided onboarding to reduce setup time, improved programmability through redesigned dashboard schema, an updated application programming interface (API) for managing dashboards at scale, and support for Git-based workflows, team folders, ...
Post a Comment
Read more

Ten Great DevOps Job Opportunities

DevOps.com is now providing a weekly DevOps jobs report through which opportunities for DevOps professionals will be highlighted as part of an effort to better serve our audience. Our goal in these challenging economic times is to make it just that much easier for DevOps professionals to advance their careers. Of course, the pool of available DevOps talent is still relatively constrained, so when one DevOps professional takes on a new role, it tends to create opportunities for others. The 10 job postings shared this week are selected based on the company looking to hire, the vertical industry segment and naturally, the pay scale being offered. We’re also committed to providing additional insights into the state of the DevOps job market. In the meantime, for your consideration. Dice Johnson & Johnson Santa Clara, California DevOps Engineer $106,000 to $170,200 McKesson Corporation Atlanta, Georgia DevOps Engineer $101,000 to $168,400 Booz Allen Hamilton Huntsville, ...
Post a Comment
Read more

Can Claude Agents Replace DevOps Teams? A Practical Reality Check 

A deployment goes out late at night. Everything seems fine at first. The dashboards are green, there are no alerts, and the release looks clean. A few hours later, the latency starts to increase. Nothing is critical. No alerts go off. By the time users notice, the system is already stressed. In a typical case, someone gets paged, checks the logs, reviews recent changes, and the team starts to connect the dots manually. It works, but it is slow and reactive. Now think of a different setup. The same pattern starts. Instead of waiting for things to break, an AI agent notices something is off. It connects it with a deployment, finds a likely cause, and takes action before users feel the impact. This is where modern DevOps is headed. With the rise of tools like Claude agents, the conversation is shifting from automation to autonomy. The question is no longer if AI can help DevOps. The question is whether it can take over a lot of it.   From Defined Pipelines to Adaptive Systems ...
Post a Comment
Read more

The Open Source Trap: Why Trust Isn’t a Security Strategy

The XZ Utils backdoor was a wake-up call, but the underlying problem it exposed has not gone away. Sophisticated adversaries are playing the long game, spending months or years earning trust within open source projects before introducing malicious code into libraries that sit at the foundation of modern software infrastructure. Mike Vizard and Josh Bressers, VP of security at Anchore, dig into why the software supply chain remains dangerously vulnerable and what the industry is getting wrong in its response. Bressers points out that the vast majority of open source projects are maintained by a single person or a very small group of volunteers. These maintainers are often overworked and under-resourced, managing critical dependencies that thousands of organizations rely on in production. When an attacker targets one of these projects, the maintainer is the entire security perimeter. No amount of scanning or compliance tooling downstream can fully compensate for a compromise that h...
Post a Comment
Read more