Curated topic

security

Posts tagged with security

GitHub EngineeringMar 26, 2026

What’s coming to our GitHub Actions 2026 security roadmap

Why it matters: CI/CD pipelines are prime targets for supply chain attacks. GitHub's roadmap moves to secure-by-design infrastructure, providing engineers with deterministic dependencies, granular policy controls, and real-time observability to protect sensitive code and credentials.

Introducing workflow-level dependency locking to ensure deterministic, auditable CI/CD runs with cryptographic commit SHA verification.
Transitioning to immutable releases for the Actions ecosystem to prevent malicious code propagation via mutable tags and branches.
Implementing policy-driven execution via GitHub rulesets to centrally manage workflow triggers and allowed event types.
Enhancing credential security with scoped, least-privileged tokens to limit the blast radius of compromised CI environments.
Deploying real-time observability through an optional agent on runners to detect suspicious processes and unauthorized network activity.
Enforcing network boundaries to restrict egress traffic, preventing data exfiltration from CI/CD runners during execution.

#security #sre

Read original

GitHub EngineeringMar 26, 2026

A year of open source vulnerability trends: CVEs, advisories, and malware

Why it matters: This report highlights that while historical vulnerability backlogs are shrinking, new security threats and malware in open source ecosystems are increasing. Engineers must remain vigilant as the volume of new advisories rises, particularly in popular ecosystems like Maven, Go, and npm.

GitHub reviewed 4,101 advisories in 2025, the lowest total since 2021, primarily due to the exhaustion of historical vulnerability backlogs.
Newly reported vulnerabilities actually increased by 19% year-over-year, showing that the rate of new security threats is still rising.
The GitHub Advisory Database now tracks over 24,000 reviewed advisories and has seen a significant surge in malware-related entries.
Maven, Composer, and Go were the most active ecosystems for security advisories in 2025, with Go seeing a 6% increase due to targeted audits.
Malware advisories have reached over 20,000 cumulative entries, highlighting a shift in the threat landscape toward malicious package injections.

#security #data

Read original

Cloudflare BlogMar 26, 2026

A one-line Kubernetes fix that saved 600 hours a year

Why it matters: Default Kubernetes volume management can cause massive downtime for stateful apps with many small files. Understanding fsGroupChangePolicy is crucial for SREs to prevent recursive ownership checks from blocking pod startups and wasting hundreds of engineering hours.

Atlantis restarts were taking 30 minutes due to a large number of files on the Persistent Volume (PV) causing inode exhaustion and slow mounts.
Kubernetes defaults to recursively changing ownership (chgrp -R) of all files in a volume if fsGroup is specified in the securityContext.
For volumes with millions of files, this recursive check becomes a significant bottleneck, leading to context deadline exceeded errors in kubelet.
The issue was diagnosed by analyzing kubelet systemd logs rather than standard pod events, which failed to show the underlying volume mounting delay.
The fix involved setting fsGroupChangePolicy to OnRootMismatch, which only triggers ownership changes if the root directory's permissions don't match.
This one-line configuration change reduced restart times from 30 minutes to under 2 minutes, saving approximately 600 hours of engineering time annually.

#sre #security

Read original

GitHub EngineeringMar 25, 2026

Updates to GitHub Copilot interaction data usage policy

Why it matters: This update changes how developer data is handled for AI training. Engineers using individual tiers must decide whether to contribute their code patterns to improve Copilot's accuracy or opt out to maintain privacy, while enterprise users remain protected by default.

Starting April 24, GitHub will use interaction data from Copilot Free, Pro, and Pro+ users for AI model training.
Copilot Business and Enterprise users are exempt from this policy change and their data will not be used for training.
Users can opt out through their GitHub privacy settings, and all previous opt-out preferences will be honored.
Collected data includes code snippets, context, repository structure, file names, and user feedback on suggestions.
Data may be shared with Microsoft but will not be shared with third-party AI model providers.
The initiative aims to improve model accuracy and security pattern suggestions using real-world developer workflows.

#mlp #data #security

Read original

GitHub EngineeringMar 24, 2026

Building AI-powered GitHub issue triage with the Copilot SDK

Why it matters: The Copilot SDK allows engineers to build custom AI tools for specific workflows. This server-side architecture pattern enables secure, scalable integration of LLMs into mobile and web apps, automating high-toil tasks like issue triage while protecting credentials.

The Copilot SDK requires a Node.js runtime and the Copilot CLI to be installed on the system PATH, necessitating a server-side integration for mobile apps.
The SDK follows a strict lifecycle of start, createSession, sendAndWait, disconnect, and stop; failing to clean up sessions causes resource leaks.
Server-side implementation ensures API tokens remain secure and allows for centralized logging and monitoring of AI requests.
The integration uses JSON-RPC to communicate between the SDK and the local Copilot CLI process.
Effective AI summaries are achieved through structured prompt engineering, feeding the model issue titles, descriptions, and labels for context.
Developers can configure specific models like GPT-4 and must handle permission requests using patterns such as approveAll.

#mobile #mlp #security

Read original

Cloudflare BlogMar 24, 2026

Sandboxing AI agents, 100x faster

Why it matters: This technology enables secure, high-performance execution of AI-generated code. By replacing heavy containers with lightweight V8 isolates, engineers can build responsive, consumer-scale AI agents that operate with minimal latency and significantly lower infrastructure costs.

Cloudflare's Dynamic Worker Loader allows Workers to instantiate new, isolated sandboxes at runtime using AI-generated code.
Built on V8 isolates, these sandboxes start in milliseconds and use minimal memory, performing 100x faster than traditional Linux containers.
The system enables 'Code Mode,' where agents write TypeScript to call APIs directly, reducing token usage by up to 81% compared to standard tool calling.
Dynamic Workers run on the same thread as the parent Worker, ensuring zero-latency execution across Cloudflare's global edge network.
Security is enforced through strict isolation and RPC-based capability sharing, allowing fine-grained control over what the AI-generated code can access.

#mlp #security #dist

Read original

GitHub EngineeringMar 23, 2026

GitHub expands application security coverage with AI‑powered detections

Why it matters: This bridges security gaps in infrastructure-as-code and scripts that traditional static analysis misses. By integrating AI-driven detections and automated fixes into the PR workflow, engineers can resolve vulnerabilities faster and maintain high security standards without leaving their tools.

GitHub is introducing AI-powered security detections to complement CodeQL's deep semantic static analysis.
The new system expands security coverage to ecosystems like Shell/Bash, Dockerfiles, Terraform (HCL), and PHP.
Detections are integrated directly into the pull request workflow, surfacing risks like SQL injection and insecure crypto early.
Copilot Autofix provides review-ready remediation suggestions, reducing average resolution time from 1.29 hours to 0.66 hours.
Internal testing across 170,000 findings resulted in over 80% positive developer feedback.
The hybrid detection model is part of GitHub's agentic platform, aiming to evolve toward deeper AI-augmented analysis.

#security #mlp #sre

Read original

Cloudflare BlogMar 23, 2026

Inside Gen 13: how we built our most powerful server yet

Why it matters: Cloudflare's Gen 13 hardware shows how software shifts, like the Rust-based FL2, enable radical hardware optimizations. By reducing cache dependency, they achieved 2x throughput and 50% better power efficiency, which is critical for scaling global edge networks sustainably.

Gen 13 features the 192-core AMD EPYC Turin 9965 processor, doubling the core count and hardware threads compared to the previous generation.
The hardware refresh leverages Cloudflare's FL2 Rust-based rewrite, which reduces L3 cache dependency and allows for linear scaling with higher core counts.
Memory capacity doubled to 768GB of DDR5-6400 across 12 channels, significantly increasing bandwidth for memory-intensive edge workloads.
Networking throughput increased 4x via dual 100 GbE ports, utilizing Intel E830 or NVIDIA Mellanox ConnectX-6 Dx adapters.
The design achieves a 50% improvement in performance-per-watt and 60% higher throughput per rack while maintaining constant power budgets.
Security is bolstered with new PCIe encryption hardware support and a DC-SCM 2.0-based Hardware Root of Trust (HRoT).

#dist #finops #security

Read original

Pinterest EngineeringMar 19, 2026

Building an MCP Ecosystem at Pinterest

Why it matters: This architecture demonstrates how to scale AI agent capabilities securely in an enterprise environment. By standardizing tool access via MCP and a central registry, Pinterest enables safe, automated engineering workflows while maintaining strict governance and security controls.

Pinterest implemented a Model Context Protocol (MCP) ecosystem using cloud-hosted, domain-specific servers rather than a monolithic architecture.
A central MCP registry serves as the source of truth for discovery, governance, and security validation across internal AI clients.
The platform uses a unified deployment pipeline to abstract infrastructure management, allowing domain experts to focus on tool business logic.
Security is enforced through a dedicated MCP Security Standard, utilizing JWT-based authentication and mesh identities for granular access control.
Production integrations include internal LLM web chat, IDE plugins, and AI bots that automatically handle OAuth flows and tool binding.
High-leverage servers for Presto, Spark, and internal knowledge bases enable agents to perform tasks like log analysis and data retrieval.

#mlp #security #data

Read original

Cloudflare BlogMar 18, 2026

Introducing Custom Regions for precision data control

Why it matters: This allows engineers to meet strict data sovereignty and compliance requirements without losing global DDoS protection. By decoupling ingestion from processing, teams can precisely control where TLS termination and L7 logic occur, which is critical for regulated industries and AI data privacy.

Cloudflare expanded its Regional Services to include Turkey, UAE, IRAP (Australia), and ISMAP (Japan), totaling 35 managed regions.
Introduced Custom Regions, allowing customers to define precise geographical boundaries for traffic processing using expression-based rules.
The architecture decouples global L3/L4 DDoS mitigation at the edge from regional L7 processing and TLS termination.
Traffic entering outside a specified region is routed via a secure private backbone to an in-region data center before decryption.
Custom Regions support specialized use cases like localizing AI inference, meeting government compliance, and aligning with corporate structures.

#security #dist #data

Read original

Page 5 of 18

Prev 1...3 4 5 6 7...18 Next