Blog
Security research & supply-chain writeups.
GitHub Actions security, package malware anatomy, and the internals of the vu1nz scanners.
ADT Security for CI/CD: Automated Detection and Triage Before the Merge
ADT security is not just alerting. For DevSecOps teams, it is the detection, triage, and ownership layer that turns CI/CD and package signals into merge-time decisions.
Cyber Security Certifications for DevSecOps: A Practical Architecture Guide for 2026
Cyber security certifications only help when they map to real engineering work. This guide shows how DevSecOps teams should use credentials to improve CI/CD and supply chain security.
Identity and Access Management for Cloud Security: A Practical Architecture for DevSecOps Teams
Identity and access management for cloud security is not a console cleanup task. It is the control plane for CI/CD, software supply chains, and production blast radius.
AI Agents GitHub Actions Security: How to Keep Autonomous CI/CD Workflows from Becoming a Supply Chain Liability
AI agents in GitHub Actions change CI/CD risk. This guide reframes the problem as workflow architecture: identity, permissions, context, validation, secrets, and auditability.
ADT Home Security for CI/CD: A Practical Architecture Model for Software Supply-Chain Defense
Use the ADT home security model to design CI/CD defense around sensors, policy, monitoring, response, and dependency risk instead of disconnected scanner output.
Encrypted Messaging GitHub Actions Security: A Practical CI/CD Architecture Guide
Encrypted messaging in GitHub Actions is not a chat feature. It is a workflow architecture decision for CI/CD alerts, secrets, incident routing, and supply chain response.
Security Service Architecture for CI/CD and Software Supply Chain Defense in 2026
A pragmatic security service architecture for DevSecOps teams defending CI/CD pipelines, GitHub Actions, and software supply chains without adding noise.
Screen Sharing CI/CD Security: How to Collaborate Without Exposing the Pipeline
Screen sharing is now part of incident response, release debugging, and pipeline reviews. Treat it as a CI/CD access path, not a meeting feature.
Security Service Architecture for CI/CD and Software Supply Chain Defense
Security service design is not about buying another scanner. It is about putting enforceable CI/CD and package supply-chain decisions where code actually changes.
Security Testing for CI/CD Supply Chains: A Practical Architecture for 2026
Security testing in 2026 is not a quarterly scan. It is a CI/CD control system for code, workflows, packages, secrets, runners, and merge decisions.
Trane Supply as a CI/CD Supply Chain Security Problem
Trane supply is not just a vendor lookup problem. For DevSecOps teams, it is a useful way to model supplier-originated code, packages, and CI changes before they merge.
What Dependabot Misses: 6 npm Supply-Chain Attacks That Got Through
Dependabot flags known CVEs. None of these six attacks had a CVE when they hit production.
Anatomy of the Shai-Hulud npm Worm (And How To Catch The Next One)
In September 2025 a self-replicating worm compromised 180+ npm packages overnight — including CrowdStrike's.
Ship Safer: vu1nz GitHub Actions catches CI/CD vulnerabilities in 30 seconds
17 automated CI/CD security checks plus optional Claude AI code review. One workflow file.
Introducing vu1nz OS — Autonomous AI Security Research Kernel
We built an AI-powered security testing system that thinks, acts, and observes.
The IDOR Testing Checklist
How to test for insecure direct object references without making assumptions about authorization.
Proof-Based XSS Detection
Why pattern-matching XSS detection is broken and how proof-based detection eliminates false positives.