Weekly Security Roundup: Secrets, CI/CD Controls, and Audits
Recent security news features improvements in cloud-native secrets management, pipeline controls, compliance support, and code scanning. The main focus is automating secure workflows, improving visibility, and offering developers practical tips for maintaining security standards.
Kubernetes and Azure Cloud Security Solutions
Azure’s infrastructure security continues to get new features and certifications. The Secrets Store CSI Driver integrates with Azure Key Vault for external secrets management, supplementing earlier efforts in credential security. Best practices for securing Cloud Shell access to AKS include recommended IP allowlisting and Bastion use. Azure Linux 3.0 has received Level 1 CIS Benchmark certification for AKS node pools, supporting baseline compliance and easier audits, picking up on recent OS security improvements.
- Securely Managing Kubernetes Secrets with Secrets Store CSI Driver and Azure Key Vault
- Securing Cloud Shell Access to Azure Kubernetes Service (AKS)
- Azure Linux 3.0 Achieves Level 1 CIS Benchmark Certification
CI/CD and Developer Workflow Security
In response to supply chain threats such as recent nx/npm attacks, a technical post discusses CI/CD defense—beyond secret scanning—covering how to restrict permissions, enforce dependency policies, and control job execution in GitHub Actions. Another resource covers how to use BitLocker and Hyper-V on developer laptops without repeated recovery prompts, addressing recent content on runtime protection and ransomware defense. GitHub has improved notifications on security campaigns to help teams respond to vulnerabilities, continuing efforts to automate fixes and reduce alert fatigue as seen in Copilot Autofix and campaign tools.
- Mitigating GitHub Actions Supply Chain Attacks: Lessons from the nx Project Hack
- How to Use Hyper-V with BitLocker Without Constant Recovery Prompts
- Improved Notifications in GitHub Security Campaigns
Compliance, Audit, and Identity Infrastructure
Enhanced Audit is now generally available for Azure Security Baseline for Linux, allowing organizations to carry out ongoing compliance assessments—continuing the move to automated auditing and policy-based security. Azure Resource Manager will require multifactor authentication beginning October 2025, except for service principals and managed identities used in automated deployments. This change reflects last week's emphasis on strong authentication. A beginner’s guide to Entra ID introduces identity management as a security foundation, while technical workshops offer step-by-step advice for implementing Zero Trust with Microsoft’s framework, supporting compliance and regulatory adoption.
- GA: Enhanced Audit in Azure Security Baseline for Linux
- Azure Mandatory Multifactor Authentication: Phase 2 Launches October 2025
- Beginners Guide to Entra ID
- Zero Trust Workshop: Implementing Microsoft's Security Framework
Code Scanning and Data Exfiltration Security in Developer Platforms
The latest CodeQL 2.22.4 increases support for Go, Rust, and Java/Kotlin and advances secure-by-default code scanning, secret scanning, and asset validation. Microsoft Fabric now offers Workspace Outbound Access Protection (OAP) for Spark workspaces to prevent data exfiltration, improving on managed private endpoint protections and supporting ongoing work on data security.
- CodeQL 2.22.4 Adds Go 1.25 Support and Security Enhancements
- Introducing Workspace Outbound Access Protection for Spark
Other Security News
A newly published guide helps teams understand threat modeling for application security, offering checklists and actionable methods for every level of project maturity. This complements previous discussions about vulnerability management and secure development.