Reference articles, all in one place.
Deep dives, best practices, and authoritative guides on supply-chain security, AI code governance, code ownership, and container management.
AI Coding Tool Categories and Governance
A taxonomy of AI coding tools — from LLM APIs to autonomous agents — with risk levels, governance requirements, and maturity models.
What Is Code Ownership? A Developer's Guide
A developer's guide to understanding who owns what in your codebase — and why it matters more than you think for review speed, incident response, and knowledge retention.
State of AI Agent Code in Production
How autonomous coding agents are reshaping security, compliance, and incident response — and why regulatory frameworks haven't caught up.
EU Cyber Resilience Act Explained for Engineering Teams
What CRA requires for SBOMs, timeline, penalties, and why September 2026 matters for AI-coded software.
Why 'What Did the Agent Actually Deploy?' Is the Hardest Question in Incident Response
The artifact-to-production visibility gap that every incident response team faces — and how autonomous AI agents made it worse.
The CISA Known Exploited Vulnerabilities Catalog: What It Means for Your Response Playbook
How to integrate CISA KEV data into incident response workflows and leverage 1,587 confirmed exploited vulnerabilities to drive patch prioritization.
NIST SSDF Implementation When AI Agents Are Part of Your Build
How to interpret the NIST Secure Software Development Framework (SP 800-218 v1.1) when autonomous coding agents sit in your pipeline — provenance, attestation, and the actual taxonomy.
Verifying What's Actually Running in Production: Build Diff vs Runtime Reality
Hash what's actually executing in production, diff it against the build artifact, and catch agent-authored Dockerfile drift before an incident makes you wish you had.
SLSA Source Track: Proving Who Authored Every Line of Code
Using SLSA supply chain levels to cryptographically verify human vs. autonomous agent authorship of each commit in production.
AI Coding Tools and Open Source License Risk: What Your Legal Team Needs to Know
How autonomous agents generate copyleft code without attribution, exposing organizations to license contamination and legal liability.
Code Ownership in the Age of Coding Agents
When Copilot, Cursor, and autonomous agents author 30-50% of your commits, the historical CODEOWNERS model breaks. Here's how to remap ownership for an agent-heavy codebase.
FedRAMP 20x and AI-Generated Code: What You Need to Know
How FedRAMP's 2025 modernization affects authorization timelines and SBOM requirements for AI-augmented software.
Container Provenance for AI-Generated Builds: SLSA Attestations When the Source Is Half Human, Half Agent
How to issue SLSA Build provenance attestations on container images when an autonomous coding agent contributed to the Dockerfile, the build script, or the source — without losing the audit trail.
SLSA Provenance Attestations During Incident Triage: A Practical Guide
How to use cryptographic provenance attestations to trace artifacts to source commits and answer 'did this deployment cause the incident?' in minutes, not hours.
Cryptographic Provenance for Coding-Agent Output
Use Sigstore keyless signing to bind agent identity, model version, and policy context into the OIDC token of every commit and artifact an autonomous coding agent produces.
Attributing AI-Authored Commits in Git
Concrete git workflows for attributing agent-authored commits — Generated-By trailers, Co-authored-by lines for bots, signed commits, and the audit trail you'll wish you had during your first incident.
SOC 2 Compliance and AI Coding Tools: What Auditors Are Asking
Map AI-generated code to SOC 2 Trust Services Criteria, prepare evidence for audits, and close the AI provenance gap.
Pinning Base Images When AI Agents Author Dockerfiles
Coding agents reach for `:latest` by reflex. Here is the SHA-pinning, Renovate-driven workflow that lets agents touch Dockerfiles without breaking your supply chain.
Software Supply Chain Attacks in the Age of Autonomous AI Agents: 2024–2025 Case Studies
How AI-accelerated vibe coding and autonomous agents are reshaping software supply chain vulnerabilities — with three documented incidents and lessons learned.
SLSA Build Track Level 3 for Agent-Generated Artifacts
What SLSA Build Track Level 3 actually requires when the source-track author is an autonomous coding agent — hermetic builds, isolated builders, and signed provenance you can verify with slsa-verifier.
How to Tag and Track AI-Generated Code in Git
Implementation strategies for marking agent-authored commits with cryptographically verifiable metadata for audit compliance.
Reviewer Assignment When Half Your Team Is an Agent
CODEOWNERS routing rules, quorum policies, and GitHub Actions workflows for assigning reviewers when the PR author is a Copilot, Cursor, or Claude Code agent — not a human.
SBOM Diff for Container Updates Authored by Coding Agents
When an autonomous agent rewrites a Dockerfile or bumps a dependency, you want a CycloneDX SBOM diff in the PR — not a CVE in production. Here is the pattern.
Tracing a Vulnerability from CVE to Production Artifact in Under 10 Minutes
Rapid CVE triage workflow: CISA KEV lookup → SBOM query → deployment match → blast radius → remediation in minutes, not hours.
Generating a CycloneDX SBOM in Your CI/CD Pipeline
Automate SBOM generation at build time with CycloneDX, add AI-attribution metadata, and sign with Sigstore — practical CI/CD integration.
Building an AI Code Review Gate in Your CI/CD Pipeline
Automated enforcement policies for agent-authored code with risk-based approval workflows and escalation paths.
Building a Self-Assembling Compliance Evidence Library
Stop gathering evidence at audit time. Automate compliance proof collection in CI/CD for AI-augmented engineering teams.
Auditing Agent-Authored PRs Before Merge
Diff-stat heuristics, secret-scan gates, dependency-add detection, and license checks — the merge-time controls that catch agent-authored PR failures before they reach main.
Detecting Drift Between Dev Container and Prod Image
When agents iterate locally inside a devcontainer, the prod image you ship can quietly diverge. Cosign attestation diffs catch the gap before incidents do.
Building a Deployment Changelog That Survives an Incident
A 10-field deployment record schema that captures artifact identity, authorship (including AI agents), and approval chains for rapid incident triage.
Skills, Files, and Permissions: A Working Threat Model for AI Coding Agents
What coding agents can and can't do, the permission models that govern agent file access, and how to set boundaries that don't break the agent's usefulness.
Cryptographically Signing AI-Generated Artifacts with Sigstore
Using Sigstore keyless signing to verify autonomous agent-authored code and build artifacts with non-repudiation and audit trails.
Gold Images for Incident Response: How to Verify That What's Running Is What You Built
Using hardened base images, cryptographic signing, and policy enforcement to answer 'is this container what we actually built?' during an incident.
Mapping Your SBOM to NIST NVD: A Vulnerability Triage Workflow
Go from SBOM to patched artifact: CVE lookup, CISA KEV prioritization, VEX documentation, and remediation tracking.
Vendoring AI-Generated Code: SBOM and License Implications
When a coding agent rewrites a third-party function inline, copies a Stack Overflow snippet, or paraphrases an MIT-licensed utility, what does your SBOM actually say — and how do you keep the license attribution chain intact?
Preparing SBOM Evidence for a FedRAMP or SOC 2 Audit: A Walkthrough
What auditors actually look at, the 10-field checklist, and how to organize SBOM artifacts for compliance review.
Incident Postmortem Templates: Supply Chain Questions Every Team Should Answer
Five postmortem templates by incident type — data breach, deployment failure, OSS CVE, insider threat, misconfiguration — plus one for incidents caused by autonomous AI agents.
How Package Managers Actually Work: Resolution, Lock Files, and SBOM Calculation
A primary-source explainer of how npm, Yarn, pnpm, pip, Poetry, uv, Cargo, Go modules, Maven, Gradle, Bundler, and Composer resolve dependencies, lock them, and feed SBOM tools — and where those SBOMs disagree.
Setting Up a Secure Local Claude Code Development Environment
A four-layer hardening playbook for Claude Code on a developer laptop — workspace isolation, secret hygiene, permission discipline, and network egress control. Practical, opinionated, copy-pasteable.
Shadow Engineering Detection
How to identify unsanctioned tools, frameworks, and AI assistants in your engineering organisation through build inspection and desktop monitoring.