SShortSingh.
Back to feed

Pre-Install Supply Chain Gates Can Catch What SBOMs and CVE Scans Miss

0
·1 views

Software Bill of Materials (SBOM) tools and CVE scanners only evaluate packages after they have already been resolved and installed, meaning they cannot assess whether a package should have been proposed in the first place. This gap is especially dangerous when AI coding agents recommend dependencies, since they assign equal confidence to real, hallucinated, or typosquatted package names. A newly registered malicious package with no CVE record will pass standard post-install scans as clean, even if its postinstall script has already executed harmful code during installation. A pre-install tool called supply_chain_gate.py addresses this by checking each proposed package against a vouched snapshot and trusted registry before npm install runs, returning ALLOW or DENY per package. In a demonstration, the tool correctly allowed 'express' while denying 'expresss' — a one-letter typosquat — illustrating that a default-deny approach against a known baseline catches threats that post-resolve scanning cannot.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

AWS-Backed Strands Agents Framework Paired With Langfuse for AI Quality Evaluation

A proof-of-concept project demonstrates how to build a Python-based banking assistant using Strands Agents, an open-source LLM agent SDK released by AWS in May 2025. The agent simulates a customer support system for a fictional bank, handling tasks like card freezing, transaction lookups, and dispute management. Because AI applications can return confident but incorrect answers that traditional metrics like error rates and latency fail to detect, the project integrates Langfuse for tracing and evaluation. Langfuse, which is open-source and self-hostable via Docker Compose, enables both offline and online assessments of agent outputs, including LLM-as-judge scoring and human annotation queues. The full source code is available on GitHub, covering setup steps from agent configuration through CI/CD-ready evaluation pipelines.

0
ProgrammingDEV Community ·

AWS Kiro CLI Integrates Google Gemini Omni Flash via MCP for AI Video Workflows

Amazon Web Services' Kiro CLI, an agentic AI-powered IDE built on a fork of VS Code, can be configured to work with Google's Gemini Omni Flash Preview model through the Model Context Protocol (MCP). Gemini Omni is a multimodal AI video model that supports generating, editing, and iterating on video content using text, image, audio, and video inputs. The integration relies on Python-based MCP servers using the stdio protocol, with basic command validation recommended before deploying more complex tools. AWS CLI is used alongside Kiro to manage underlying cloud services during the setup process. The approach mirrors a previously documented method using Antigravity CLI with MCP servers, applying the same structured configuration steps to the Kiro environment.

0
ProgrammingDEV Community ·

Developer Builds AI-Maintained Failure Log to Close the ML Eval Feedback Loop

A developer working on an MLX-based classifier that maps work sessions to Jira tickets found that running evaluations was easy, but tracking and diagnosing recurring failures was not. After accumulating 62 failures across three eval runs with no reliable way to spot patterns, they designed a structured solution using a Claude Code skill invoked manually after each evaluation. The workflow writes failure data to a machine-maintained file called FEEDBACK.json, storing runs, individual observations, and named failure classes that persist across multiple eval cycles. To keep context usage manageable, the skill queries only targeted slices of the file using jq rather than loading it entirely. The approach aims to turn evaluation results into an actionable engineering tool rather than a static scoreboard.

0
ProgrammingDEV Community ·

Backboard launches AI compression tool, coding assistant, and memory app from Ontario

Canadian AI company Backboard announced four products on July 1, built around maximizing existing GPU efficiency rather than investing in new hardware. Its compression technology, BackboardQuant, reduces model size by up to 70% while maintaining full-precision performance and delivering up to 2.7x faster inference speeds. Backboard Studio, an agentic coding assistant, scored 79.8% on the Terminal-Bench 2.1 benchmark, outperforming Claude Opus 4.8's standalone result of 74.6%, and can run entirely on open-source models. The company also launched Nash, a consumer and enterprise chat app offering access to thousands of AI models with on-premise memory storage, which ranked first on two independent AI memory benchmarks. The entire stack is designed to run within a customer's own cloud environment, keeping data on-premises — a key requirement for sectors like healthcare, finance, and government.

Pre-Install Supply Chain Gates Can Catch What SBOMs and CVE Scans Miss · ShortSingh