CuraDevOps

tag: Security · 3 items

2026-07-11 · Grafana Blog · source ↗ #supply-chain#security#grafana
  • Platform/SRE — Learn: Grafana’s PIR confirms no customer production impact and no Grafana Cloud compromise from the TanStack npm attack; useful background on how supply chain attacks can reach observability vendors, but no operational change is required.
  • CI/CD — Learn: The report details how a compromised npm package triggered a ransom incident and exposed a missed credential rotation — valuable for evaluating the depth of your own supply chain audit and rotation runbooks, even though Grafana’s customer pipelines were unaffected.
  • Leader — Learn: Grafana’s independently audited transparency report (Mandiant confirmed no code tampering or repository poisoning) is useful context for assessing vendor security maturity; no strategic action is required since customer exposure was ruled out.
2026-07-11 · GitHub Changelog · source ↗ #secret-scanning#github#security
  • Platform/SRE — Skip
  • CI/CD — Learn: If your pipelines parse or display GitHub secret scanning output, the renamed detector type labels may affect dashboards or tooling that filters by those names — low urgency, no deadline.
  • Leader — Skip
2026-07-11 · GitHub Changelog · source ↗ #static-analysis#security#github-actions
  • Platform/SRE — Skip
  • CI/CD — Plan: If pipelines run CodeQL scanning on Kotlin 2.4.0 codebases, upgrade to CodeQL 2.26.0 this quarter to maintain scan coverage; the new AI prompt injection queries are worth enabling if building LLM-integrated apps.
  • Leader — Skip