Devsecops

The Unexpected Swag from KubeCon EU 2026 KubeCon EU 2026 Amsterdam was a great edition. I walked away with good conversations, new connections, and the usual conference bag full of stickers. But one thing stood out among the swag: six months of GitHub Copilot Pro+, courtesy of GitHub. I’m not going to pretend I wasn’t excited. Copilot Pro+ isn’t cheap, and having it handed to you as conference loot—just because you showed up in the right place, accepting the right invitation—felt like a proper thank-you to the community. GitHub clearly knows its audience. ...

The countdown is on. As of March 2026, we are less than five months away from the full applicability of the EU AI Act (August 2, 2026). For those of us running AI workloads on Kubernetes, whether it’s self-hosted inference engines like vLLM or RAG-based agentic systems, compliance is no longer a legal “later” problem. It’s an engineering “now” problem. Before we dive into the technical implementation, let’s look at the critical roadmap and the cost of getting it wrong: ...

Intro We have all been there: a Slack notification triggers an alert for a “Critical” CVE, and the scramble to patch begins. But as our clusters grow, so does the noise. The most jarring security stories are often the ones happening silently inside our own production environments. Datadog recently released its State of DevSecOps 2026 report, and the numbers provide a sobering reality check for anyone managing cloud-native infrastructure. The report reveals that 87% of organizations are currently running at least one known exploitable vulnerability in their deployed services. Even more concerning is that many of these services rely on libraries that have been abandoned by their maintainers. This is not just a theoretical problem; it is based on telemetry from thousands of real-world cloud environments, making the findings impossible to dismiss. ...

As a DevSecOps Team Leader, my job is to secure customers using modern technologies. Sounds straightforward, right? The reality is far more complex. Every day, I face the challenge of enabling innovation while maintaining security. The rapid adoption of AI has introduced a new dimension to this challenge: agentic AI assistants that do not just chat, they act. This challenge connects directly to something I wrote about recently. In my article on spec-driven development with GitHub Spec-Kit, I discussed how structure and governance matter when using AI for coding. The same principle applies here: when AI agents can execute code, access secrets, and operate with user privileges, we need structure and governance more than ever. ...

Introduction: Theory Meets Practice In my previous article about GitHub Spec-Kit, I explored the theoretical foundations of spec-driven development: why structured AI workflows matter for compliance, auditability, and team collaboration. I discussed the high-level concepts of audit trails, liability, and how spec-kit transforms “vibe coding” into a rigorous, documented process. Today, I’m sharing something different: a raw, unfiltered hands-on experience building a real tool from scratch using spec-kit. This is a chronological journey documenting what actually happened when I let spec-kit drive the development process from constitution to working code. ...

Introduction: From Web Chatbots to CLI Tools AI is a powerful tool, and for IT professionals, the most effective way to leverage it is through CLI tools like GitHub Copilot CLI, Claude Code, Gemini CLI, or similar agents. In previous articles like GitHub Spec-Kit, I explored spec-driven development and structured AI workflows, but I realized I skipped fundamental concepts: why CLI tools beat web chatbots and how to standardize your AI setup for portability. ...

The recent Notepad++ supply chain compromise shows how even widely trusted, open-source tools become vectors for state-sponsored espionage when their distribution infrastructure falls into the wrong hands. This was a surgical, six-month operation that bypassed traditional code security controls by exploiting the update mechanism. What Happened and Where the SDLC Failed In 2025, Notepad++, a widely used open-source text editor, suffered a sophisticated supply chain attack. Chinese state-sponsored threat actors compromised the shared hosting provider in June, gaining control of the update distribution system. Even after losing direct server access in September following a kernel update, attackers maintained persistence through stolen credentials until December 2. The fixed version 8.8.9 with hardened update verification was released on December 9. ...

What is ClawdBot/MoltBot/OpenClaw? For those unfamiliar with the project, OpenClaw (formerly MoltBot, previously ClawdBot) is a personal AI assistant platform that integrates with multiple messaging channels including WhatsApp, Telegram, Discord, Slack, Signal, iMessage, and many others. The project is available at github.com/openclaw/openclaw and maintains a website at openclaw.ai. The tool is designed to be a “local-first, single-user assistant” with capabilities that include shell command execution, filesystem operations, browser automation, and integration with various cloud services. It’s essentially a bridge between AI models and your entire digital ecosystem. However, OpenClaw does not provide model access itself; users must configure it with their own API keys from providers like Anthropic, OpenAI, or others. ...

Introduction: Spec-Driven Development vs. Vibe Coding If you’ve been working with AI coding assistants, you’ve probably experienced what some call “vibe coding”, throwing prompts at an LLM and hoping for the best. Sometimes it works brilliantly. Other times, you end up with code that technically runs but doesn’t align with what you actually needed, or worse, introduces architectural decisions that create technical debt down the road. Spec-Driven Development (SDD) flips this approach on its head. Instead of starting with code and documenting later (if at all), you begin with comprehensive specifications that define the what and why before anyone, human or AI, writes a single line of code. The specification becomes the single source of truth, guiding implementation and ensuring alignment across the entire team. ...

It’s December 27th, and like most of you, I’m somewhere between “fully checked out for the holidays” and “can’t stop tinkering with new tools on my laptop.” Nobody’s at work. Teams is shut down and Slack is quiet. The corporate VPN can wait until January. But my curiosity? That’s working overtime. A couple of weeks ago, I discovered Fresh, a Rust-based terminal text editor that feels like it was designed specifically for people like me who live in terminals. Here’s what caught my attention: ...