| ▲ | insanitybit an hour ago | |
Just some suggestions: 1. Dependency cooldowns of 1-2 days seem to be extremely effective without negatively impacting your ability to patch for CVEs. 2. Anywhere you have `npm install` or `npm test` or anything where code executes, that should happen in an environment that has no privileges. In your github actions you can do this semi-straightforwardly by using two separate jobs - one to build the artifacts and test them, another to do any sort of publishing, signing, etc. If you use AI, add a skill / guidance to enforce this pattern. 3. If you use Github Actions, install the latest version of zizmor. It will significantly improve your posture. (2) means that you are no longer "wormable", which is a massive part of the problem that we have today. (1) gives companies more time to respond to the attacks. There are some vendors in this space that you can and should evaluate as well. | ||
| ▲ | tmpz22 14 minutes ago | parent [-] | |
> anything where code executes ALL the agentic orchestrators like codex, claude-code, etc. seem to do this by default. | ||