Trusted publishing for npm packages ◆ npm Docs

less than 1 minute read

Managed identities for artifact publication is great. Let’s just make sure it doesn’t come at the cost of traceability.

Trusted publishing allows you to publish npm packages directly from your CI/CD workflows using OpenID Connect (OIDC) authentication, eliminating the need for long-lived npm tokens. This feature implements the trusted publishers industry standard specified by the Open Source Security Foundation (OpenSSF), joining a growing ecosystem including PyPI, RubyGems, and other major package registries in offering this security enhancement.

Like machine identities and SPIFFEE in the cloud. Nice!

GitHub Actions (GitHub-hosted runners) - GitLab CI/CD Pipelines (GitLab.com shared runners)

The benefits are obvious. But are we losing control? All these “managed identities” usually fail to provide the same level of logging and traceability we expect when we manage our own identities.

Direct Link

Share on

X Facebook LinkedIn Bluesky

Make Real Progress In Security From AI

1 minute read

I gave a talk at the AI Agent Security Summit by Zenity Labs on October 8th in San Francisco. I’ll post a blog version of that talk here shortly.

How Should AI Ask for Our Input?

2 minute read

Enterprise systems provide a terrible user experience. That’s common knowledge. Check out one of the flash keynotes about the latest flagship AI product by ...

Pwn the Enterprise - thank you AI! Slides, Demos and Techniques

6 minute read

We’re getting asks for more info about the 0click AI exploits we dropped this week at DEFCON / BHUSA. We gave a talk at BlackHat, but it’ll take time bef...

Someone Is Cleaning Up Evidence