<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Security on CuraDevOps</title><link>https://curadevops.metacog.co.kr/tags/security/</link><description>Recent content in Security on CuraDevOps</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Sat, 11 Jul 2026 15:50:13 +0000</lastBuildDate><atom:link href="https://curadevops.metacog.co.kr/tags/security/index.xml" rel="self" type="application/rss+xml"/><item><title>CodeQL 2.26.0 adds Kotlin 2.4.0 support and AI prompt injection detection</title><link>https://curadevops.metacog.co.kr/insights/2026-07-11-codeql-2-26-0-adds-kotlin-2-4-0-support-and-ai-prompt-inject/</link><pubDate>Sat, 11 Jul 2026 15:50:13 +0000</pubDate><guid>https://curadevops.metacog.co.kr/insights/2026-07-11-codeql-2-26-0-adds-kotlin-2-4-0-support-and-ai-prompt-inject/</guid><description>&lt;ul>
&lt;li>&lt;strong>Platform/SRE — Skip&lt;/strong>&lt;/li>
&lt;li>&lt;strong>CI/CD — Plan:&lt;/strong> If pipelines run CodeQL scanning on Kotlin 2.4.0 codebases, upgrade to CodeQL 2.26.0 this quarter to maintain scan coverage; the new AI prompt injection queries are worth enabling if building LLM-integrated apps.&lt;/li>
&lt;li>&lt;strong>Leader — Skip&lt;/strong>&lt;/li>
&lt;/ul></description></item><item><title>GitHub Secret Scanning detector types get renamed for clarity</title><link>https://curadevops.metacog.co.kr/insights/2026-07-11-clearer-names-for-secret-scanning-detector-types/</link><pubDate>Sat, 11 Jul 2026 15:50:13 +0000</pubDate><guid>https://curadevops.metacog.co.kr/insights/2026-07-11-clearer-names-for-secret-scanning-detector-types/</guid><description>&lt;ul>
&lt;li>&lt;strong>Platform/SRE — Skip&lt;/strong>&lt;/li>
&lt;li>&lt;strong>CI/CD — Learn:&lt;/strong> If your pipelines parse or display GitHub secret scanning output, the renamed detector type labels may affect dashboards or tooling that filters by those names — low urgency, no deadline.&lt;/li>
&lt;li>&lt;strong>Leader — Skip&lt;/strong>&lt;/li>
&lt;/ul></description></item><item><title>Grafana Labs post-incident review: TanStack npm supply chain ransom</title><link>https://curadevops.metacog.co.kr/insights/2026-07-11-post-incident-review-for-tanstack-npm-supply-chain-ransom-in/</link><pubDate>Sat, 11 Jul 2026 15:50:13 +0000</pubDate><guid>https://curadevops.metacog.co.kr/insights/2026-07-11-post-incident-review-for-tanstack-npm-supply-chain-ransom-in/</guid><description>&lt;ul>
&lt;li>&lt;strong>Platform/SRE — Learn:&lt;/strong> Grafana&amp;rsquo;s PIR confirms no customer production impact and no Grafana Cloud compromise from the TanStack npm attack; useful background on how supply chain attacks can reach observability vendors, but no operational change is required.&lt;/li>
&lt;li>&lt;strong>CI/CD — Learn:&lt;/strong> The report details how a compromised npm package triggered a ransom incident and exposed a missed credential rotation — valuable for evaluating the depth of your own supply chain audit and rotation runbooks, even though Grafana&amp;rsquo;s customer pipelines were unaffected.&lt;/li>
&lt;li>&lt;strong>Leader — Learn:&lt;/strong> Grafana&amp;rsquo;s independently audited transparency report (Mandiant confirmed no code tampering or repository poisoning) is useful context for assessing vendor security maturity; no strategic action is required since customer exposure was ruled out.&lt;/li>
&lt;/ul></description></item></channel></rss>