Why generating SBOM based on your code is far from enough
Mar 14, 2022
16 mins read
This isn’t yet another blog giving the SBOM 101. There is an abundance of those. This is a deep dive into th...
Exploiting Jenkins build authorization
Feb 17, 2022
11 mins read
TL;DR
The default build authorization configuration in Jenkins — controlling the permissions allocated to pi...
Asi Greenholts
@TupleType
PPE — Poisoned Pipeline Execution
Feb 08, 2022
25 mins read
Dev environments have become a major part of today’s attack surface. And within them, the most lucrative ass...
Secret Diver — Searching for deeply hidden secrets
Docker images are composed of layers. These containers, even after modifications and updates, may have secrets...
Our dependencies are under attack, and this time we were lucky…
In the past few weeks, our world infrastructure has been under attack. The attack is very simple: Find a depen...
Visualizing CI/CD from an attacker’s perspective
Jan 10, 2022
15 mins read
CI/CD environments and processes are increasingly becoming a key area of focus for both hackers and — conseq...
NPM might be executing malicious code in your CI without your knowledge
The JavaScript ecosystem is highly reliant on dependencies. And all I wanted was a method to safely downl...
Optimizing your resilience against Log4Shell
Collection of actionable measures — across Prevention, Mitigation, Detection and assessment — for coping w...
Daniel Krivelevich
@Dkrivelev
Malicious code analysis: Abusing SAST (mis)configurations to hack CI systems
Nov 03, 2021
13 mins read
I recently found a new method that allows secure code analysis mechanisms to be bypassed and even worse — ab...