«РБПО для бедных»: настраиваем сервисы безопасной разработки
В прошлой статье цикла мы закончили разворачивать инфраструктуру будущего РБПО: установили GitLab, Nexus, HashiCorp Vault, Dependency-Track и DefectDo…
Open Source
⚑ Report a ProblemLatest Open Source news from Tech News
All topics
AI
agents
ai
api
architecture
automation
aws
beginners
career
claude
database
devchallenge
devops
javascript
linux
llm
machinelearning
mcp
opensource
performance
productivity
programming
python
react
security
showdev
softwareengineering
tutorial
typescript
webdev
We scanned 17,000 Claude Code skills. 39% run shell commands - only 4% say so up front.
An AI skill is a Markdown file your coding agent reads and obeys. GitHub code search currently finds 74,192 SKILL.md files installed under .claude/ski…
End-to-End GitHub Security Hardening Guide for Organizations
GitHub is not just a source code platform anymore. For most engineering organizations, GitHub is part identity system, part software supply chain, par…
Applying Checkov to Terraform as Code – A TFSEC Alternative
Static Application Security Testing (SAST) is a critical practice in modern DevSecOps. While tools like SonarQube, Snyk, and Veracode are popular, thi…
AI Security Scanning Tools in 2026: Snyk vs Semgrep vs OX Security — Real False-Positive Rates Tested
AI Security Scanning Tools in 2026: Snyk vs Semgrep vs OX Security — Real False-Positive Rates Tested If you're still manually reviewing security scan…
Why Every CISO Needs an AIBOM in 2026 — And What Most Vendors Get Wrong
A friend of mine runs security at a mid-size fintech. Last month she got a Slack DM from her general counsel at 9:47 on a Tuesday night. The Italian D…
"It's not a bug, it's spec": a zero-click RCE in AI coding agents that three vendors won''t patch
TL;DR — A prompt injection can rewrite your AI IDE's mcp.json the moment you open a project, with no dialog and no click, and get arbitrary code execu…
Спросите эксперта: всё о безопасности контейнеров и DevSecOps
Привет, Хабр! Контейнеризация уже давно стала стандартом де-факто для современной разработки. Но вместе со скоростью и гибкостью Kubernetes и Docker п…
Best Practices по Dockerfile: от базового образа и кеша до SBOM, Cosign и CI/CD
Статья получилась большой: практик много, и каждая из них важна по-своему. Я собрал её как набор best practices: не все пункты нужны каждому проекту, …
Threat Detection in Kubernetes with Falco
Finding out there is "suspicious activity" in your infrastructure is enough to make any DevOps engineer's heart rate spike. If you’re running containe…
[Перевод] Cilium и защита CI/CD: как опенсорс-проект уровня ядра Kubernetes защищает свою цепочку поставок
Cilium работает в сетевом пути уровня ядра в миллионах Kubernetes-pod'ов: от облачных провайдеров до собственных кластеров банков и телекомов. Если бы…
Больше, чем просто безопасность, или Зачем контролировать зависимости
Привет, Хабр! Меня зовут Артём Бердашкевич, в Positive Technologies руковожу направления DevSecOps. Сегодня хочу поговорить о теме, которая с годами с…
I Scanned a Vulnerable Kubernetes Cluster with 9 Engines — The AI Filter Caught Everything
I run Debuggix, a free security scanner that runs 9 engines in parallel. For Episode 3 of our "Verified or Not" series, we scanned Kubernetes Goat — a…
Kubernetes-аудит после Wiz и Prisma: как живут без CNAPP в 2026
В 2022–2024 западные CNAPP-платформы — Wiz, Prisma Cloud, Lacework — закрыли доступ для российских компаний. Сбер и Яндекс собрали свой стек на коленк…
The real attack surface for AI coding agents is the config file
If you think the security risk of AI coding agents (Claude Code, Cursor, Gemini CLI) is "the model goes rogue and runs a dangerous command," the serio…
Why your vulnerability dashboard is lying to you (and how to fix it)
You open your vulnerability dashboard on a Monday morning and see 47 critical CVEs across 12 assets. By Thursday, your team has patched 11 of the 12 a…
Building Agentra, An Enterprise AI Engineering Control Plane for Secure Coding Agents
Open source repository: https://github.com/arijeetganguli/agentra PyPI: https://pypi.org/project/agentra/ AI coding agents are becoming part of everyd…
Automate LLM Red Team Campaigns with PyRIT
If you're still testing LLM guardrails by hand — retyping variations in a chat tab, logging results in a notebook, eyeballing responses — you're leavi…
Causa GitHub, or: Your Editor Extensions Run as You
Wire Fire — Episode 02 On 18 May 2026 an attacker published a poisoned version of a popular Visual Studio Code extension. It was live for roughly elev…
How We Got a CISA GitHub Leak Taken Down in Under a Day
On May 14, 2026, GitGuardian found what looked like leaked CISA secrets in a public GitHub repository named Private-CISA. It held 844 MB of data acros…
Взлом GitHub-репозиториев Grafana Labs: как атака на цепочку поставок npm привела к краже кодовой базы и вымогательству
Часть I: Первопричина - атака Mini Shai-Hulud на экосистему TanStack Цепочка поставок как вектор атаки 11 мая 2026 года, в промежутке с 19:20 до 19:26…
The Agent That Created 107 PRs (And Why That Was the Problem)
The Agent That Created 107 PRs (And Why That Was the Problem) One of our leaders has a way of framing AI initiatives that I find genuinely useful. Thr…
Digital Signatures: The “Trust Me Bro” Detector for Junior Cybersecurity Engineers
Digital Signatures: The “Trust Me Bro” Detector for Junior Cybersecurity Engineers Subtitle: How digital signatures help prove who signed something, w…
A Practical Terraform Security Review with Codex and Claude Code
A Practical Terraform Security Review with Codex and Claude Code A Terraform repository is not just code. It is a map of your cloud control plane. It …
Clinejection: When Your AI Coding Tool Became the Weapon
This article was originally published on LucidShark Blog . On February 17, 2026, a developer opened a GitHub issue on the Cline repository. The issue …
We built a free open source alternative to Wiz for Azure — here is how it works
Enterprise cloud security tools like Wiz, Prisma Cloud, and Microsoft Defender for Cloud cost upwards of $500,000 per year. Most organisations running…
How I Discovered and Deobfuscated a Hidden PHP Backdoor on My Server
As developers and system architects, we often secure our code but neglect the silent threats lurking in old directories or clever obfuscations. Recent…
DevSecOps Pipeline in a Day: Automated Security from Commit to Deploy
Security that happens after deployment is already too late. By the time a quarterly penetration test discovers hardcoded secrets, vulnerable container…
Why Strict "Zero Trust" Breaks Secret Management (And How We Built a Zero-Persistence Vault Instead)
This is a technical deep dive into the cryptography behind Ennote's enterprise architecture. You can read the original full-length post on our enginee…
Утопали в дефектах, пока собирали «единое окно»
«У нас было два пакета findings SAST’а, семьдесят пять CVE с критичностью — Critical, пять дублей одной и той же CVE в разных сервисах, пол солонки fa…