Operations | Monitoring | ITSM | DevOps | Cloud

Shai-Hulud style attacks need more than scanning

Pre-install scripts mean a malicious package can compromise a developer's laptop the moment it's pulled – no build, no deploy, no install required. That breaks the old model where scanning catches a bad package after the fact, when it's already too late. The fix is active policy enforcement at the point of pull, using signals like package age, signed provenance, and maintainer trust to filter out malicious packages before they ever land.

Upgrade Your AWS Deploy Orb to Get Deploy Markers

Upgrade to the latest version of your AWS deploy orb to get automatic registration of deploy markers. This will give you instant access to deployment timeline, auto-rollback, and version comparison when something breaks — for about five minutes of effort. It will also switch you to OIDC, so there are no long-lived keys to manage. It’s a single version bump. Here’s how.

Boost Is Now In Public Preview

Today, we’re excited to announce that Boost is moving out of beta and into public preview. After months of building, breaking, and rebuilding inside JFrog’s own R&D organization, Boost is ready for the world. If you are currently running into token limits, unpredictable costs, or runaway usage from AI agents, Boost was built for you. It has already helped our teams reduce token spend while maintaining performance.

How to Set Up Codex with CircleCI Plugin (Full Demo)

Learn how to connect OpenAI Codex to CircleCI so your coding agent can check pipelines, diagnose failed builds, fix bugs, and iterate until your CI pipeline is green. In this step-by-step demo, we walk through how to install and authenticate the CircleCI CLI, install the CircleCI plugin for Codex, validate your CircleCI configuration, and give Codex direct access to CI feedback. You’ll see how Codex can.

Make SBOM generation a build step, not a compliance project

Compliance work that lives outside the build pipeline becomes developer friction – and friction kills adoption. The simpler fix is to make SBOM generation a standard pipeline step via a reusable template, with output routed automatically to central storage and surfaced to the teams who need it. When developers can see their own license issues and vulnerability exposure without filing a ticket, compliance stops being a tax and starts being a byproduct of shipping.

5 takeaways from the State of Software Delivery Q2 Pulse report

AI is pushing code volume up almost everywhere. Shipping it is still the hard part, and the gap between leaders and everyone else is getting wider. Today we’re releasing the 2026 State of Software Delivery Q2 Pulse report, a shorter check-in between our annual reports. We analyzed more than 20 million CircleCI workflows from March 2026 to see what’s changed since the comprehensive 2026 State of Software Delivery report we published in Q1.

Cut CI Environment Setup Time in Half with Chunk sidecar Snapshots

Waiting minutes for CI feedback while you're building with AI agents kills your momentum. Chunk sidecars snapshots let you freeze your environment after setup, so every boot skips the install and starts from a cached state instead of scratch. In this tutorial, we demo how to set up Chunk sidecars, snapshot it, and boot from that snapshot. We also benchmark the difference: a cold sidecar start took 45 seconds. Booting from the snapshot took 12 seconds. That's 30+ seconds saved on every run, multiplied across every developer, branch, agent, and session.

Rebuilding the CircleCI CLI from scratch

Every developer knows the moment: CI goes red, and you face a choice. Open the browser and click through the web UI to the run, the workflow, the job, the step, the log line. Or stay in the terminal, where the fix is going to happen anyway. The new CircleCI CLI exists so you can stay. It’s 1.0, it’s in beta, and it’s a ground-up rewrite in Go, not an iteration on the CLI we’ve shipped for years.

Vulnerability scanners find problems. A firewall prevents them.

A vulnerability scanner tells you what's wrong with dependencies you've already pulled. A dependency firewall decides what enters your environment in the first place. Instead of pulling blindly from public registries, every request is proxied through the firewall – where policy controls what's permitted, threat intelligence flags malicious packages that scanners never see, and enforcement happens at the earliest possible point. Scanning what's already inside is too late.

How to Set Up Claude Code with CircleCI MCP Server (Full Demo)

AI agents write code fast, but without a validation layer, fast just means faster bugs. In this video, we connect Claude Code to the CircleCI MCP server so Claude can trigger pipelines, pull build failures into context, and iterate until everything is green. No context switching. No copy-pasting logs.

The golden path: security that works because it's the easy path

A golden path for dependency management isn't a policy document – it's a preconfigured private registry with upstream proxies covering every ecosystem your teams use, set as the default. Developers don't opt into security; they get it automatically by using the standard toolchain. The alternative is teams configuring their own controls, producing inconsistent postures and compounding risk across the org. If the secure path requires extra steps, developers will route around it. Make it the easiest option and the policy enforces itself.

ACP vs MCP: What's the difference for agentic coding?

An AI coding agent holds many conversations at once. Not only is the user prompting it, the agent also talks to the IDE, showing diffs and asking before it touches a file. At the same time it talks to tools, pulling a failing build or querying a database. Two open protocols standardize those conversations. This guide compares ACP vs MCP in practical terms: what each protocol does and when each applies. ACP (Agent Client Protocol) connects a code editor to an AI coding agent.

The most dangerous window is before threat intel knows about it

When a malicious package is first published, threat intelligence sources haven't flagged it yet – and every team pulling from a public registry is exposed during that entire window. The fix isn't faster scanning; it's a policy that holds new packages for a defined cooldown period before they're eligible to pull. By the time the window closes, the threat intelligence has caught up. Teams pulling direct from npm or PyPI have no equivalent enforcement layer – which is exactly how attacks like Shai-Hulud got in.

Fix flaky tests with AI, and track future test work in Jira

In January we launched Tests in Bitbucket Pipelines – a single place to track, organize, and understand your test health over time. In April we added automatic flaky test detection so unreliable tests get flagged before they slow your team down. But spotting a problem is only half the battle. Day to day, your team still needs to act on a test – track it as work, clean it up, or route it to the right person.