Audun Mo
@audunmo.bsky.social
I like helping people make safer software. #appsec #cloudsec
I'm thinking of forming dependency track. I think its promise could be delivered in a much simpler app. First thing is to combine the frontend and API to a single container. Second order of business would be to introduce OIDC based token auth for m2m
October 16, 2025 at 12:26 PM
I'm thinking of forming dependency track. I think its promise could be delivered in a much simpler app. First thing is to combine the frontend and API to a single container. Second order of business would be to introduce OIDC based token auth for m2m
Reposted by Audun Mo
Within sometime in the next five years, there will be a story of someone using an LLM like a GPS to navigate, and it will be hilarious
October 11, 2025 at 3:47 PM
Within sometime in the next five years, there will be a story of someone using an LLM like a GPS to navigate, and it will be hilarious
I have no earthly idea why the world landed on using SPDX over CycloneDX as its default. And I'm so sad about it
October 6, 2025 at 11:58 AM
I have no earthly idea why the world landed on using SPDX over CycloneDX as its default. And I'm so sad about it
Today, Go's 1.25.1-bookworm image suddenly changed hash
October 2, 2025 at 9:37 AM
Today, Go's 1.25.1-bookworm image suddenly changed hash
The fact that tags are immutable on docker hub by default blows my mind.
October 2, 2025 at 9:37 AM
The fact that tags are immutable on docker hub by default blows my mind.
At what point do we just classify the entirety of npm as a vulnerability, and just be done with it? Js needs a better standard library, and packages that can't randomly RCE your build pipeline if they feel like it
September 17, 2025 at 6:13 PM
At what point do we just classify the entirety of npm as a vulnerability, and just be done with it? Js needs a better standard library, and packages that can't randomly RCE your build pipeline if they feel like it
If you sell products that purport to shift left, but don't support IaC or other code-based config, the product is not doing that. UIs and click-ops invite reactive, right-end operations, and it's often a sign of other legacy thinking / approaches in your tools
July 1, 2025 at 10:17 AM
If you sell products that purport to shift left, but don't support IaC or other code-based config, the product is not doing that. UIs and click-ops invite reactive, right-end operations, and it's often a sign of other legacy thinking / approaches in your tools
Pushing ads on a service, then making a subscription to not have ads, is not a feature. It's not a product. And if it's the best you can think of, your company produces nothing
June 24, 2025 at 12:09 PM
Pushing ads on a service, then making a subscription to not have ads, is not a feature. It's not a product. And if it's the best you can think of, your company produces nothing
Linkedins algorithm for what to create notifications for needs to be studied. I don't think I've seen an algo less able to find relevant information
June 16, 2025 at 1:36 PM
Linkedins algorithm for what to create notifications for needs to be studied. I don't think I've seen an algo less able to find relevant information
Bad features cause security risks, like bad road layouts lead to accidents. Case in point, github notifications. Filtering out the noise is so hard that I find drawn to separate apps to handle them. I don't because of the risk, but the avalanche ushers me in their direction
June 12, 2025 at 10:57 AM
Bad features cause security risks, like bad road layouts lead to accidents. Case in point, github notifications. Filtering out the noise is so hard that I find drawn to separate apps to handle them. I don't because of the risk, but the avalanche ushers me in their direction
A long time ago, I saw a thing about programmers on dating apps who make themselves out to be much more important than they are.
"Calm down, Brad. You're making computers go beep boop correctly" is still one of my favorite take down of anyone online
"Calm down, Brad. You're making computers go beep boop correctly" is still one of my favorite take down of anyone online
June 12, 2025 at 5:34 AM
A long time ago, I saw a thing about programmers on dating apps who make themselves out to be much more important than they are.
"Calm down, Brad. You're making computers go beep boop correctly" is still one of my favorite take down of anyone online
"Calm down, Brad. You're making computers go beep boop correctly" is still one of my favorite take down of anyone online
I thought to myself "the clock is just Thursday". In other words, my friend's 5 day bachelor party is going well
May 1, 2025 at 7:50 PM
I thought to myself "the clock is just Thursday". In other words, my friend's 5 day bachelor party is going well
Note to anyone creating a scripting or rule or whatever language. Do not design your language so that comparison happens with =. Always assign with = and compare with ==. Otherwise all code produced in your language will be bad. And if = does both, you do not deserve good things in your life
April 28, 2025 at 3:26 PM
Note to anyone creating a scripting or rule or whatever language. Do not design your language so that comparison happens with =. Always assign with = and compare with ==. Otherwise all code produced in your language will be bad. And if = does both, you do not deserve good things in your life
It is 2025. Stop sending "hi" on slack. Just say the thing you want or need right away
April 10, 2025 at 8:23 AM
It is 2025. Stop sending "hi" on slack. Just say the thing you want or need right away
I think "don't meet your heros" also applies to looking at your heros Twitter account
April 8, 2025 at 1:28 PM
I think "don't meet your heros" also applies to looking at your heros Twitter account
If it computes, someone has already installed doom on one
April 8, 2025 at 1:12 PM
If it computes, someone has already installed doom on one
Contender for best feeling ever 🧹🧹🧹
April 8, 2025 at 12:59 PM
Contender for best feeling ever 🧹🧹🧹
Does anyone know how renovate or dependabot handles a git release tag being moved to a new commit for github actions when you've pinned your workflow to commits? Do they create new update PRs to reflect the new commit? Or do they stay on the existing pinned commit?
April 2, 2025 at 6:16 AM
Does anyone know how renovate or dependabot handles a git release tag being moved to a new commit for github actions when you've pinned your workflow to commits? Do they create new update PRs to reflect the new commit? Or do they stay on the existing pinned commit?
Reposted by Audun Mo
The compromise of GitHub Action tj-actions/changed-files has impacted only a small percentage of the 23,000 projects using it, with it estimated that only 218 repositories exposed secrets due to the supply chain attack.
GitHub Action supply chain attack exposed secrets in 218 repos
The compromise of GitHub Action tj-actions/changed-files has impacted only a small percentage of the 23,000 projects using it, with it estimated that only 218 repositories exposed secrets due to the supply chain attack.
www.bleepingcomputer.com
March 20, 2025 at 2:35 PM
The compromise of GitHub Action tj-actions/changed-files has impacted only a small percentage of the 23,000 projects using it, with it estimated that only 218 repositories exposed secrets due to the supply chain attack.
🧵Ref tj-actions attack. I wonder, would it be possible to retrofit a lockfile system on top of github actions?
March 20, 2025 at 11:43 AM
🧵Ref tj-actions attack. I wonder, would it be possible to retrofit a lockfile system on top of github actions?
Is there any way to generate an SBOM that describes github actions and their transitive dependencies? Ref tj-actions. I feel like this should be a thing
March 20, 2025 at 7:25 AM
Is there any way to generate an SBOM that describes github actions and their transitive dependencies? Ref tj-actions. I feel like this should be a thing
The cookie banners on websites should be re-implemented as native buttons in the UI of my browser, with the option of auto-rejecting all non-essential cookies forever. There shouldn't be a million different modals with different language and layout
March 20, 2025 at 7:23 AM
The cookie banners on websites should be re-implemented as native buttons in the UI of my browser, with the option of auto-rejecting all non-essential cookies forever. There shouldn't be a million different modals with different language and layout
I'm not in the java ecosystem. Has the {x}4j branding suffered at all? Because whenever I hear, for example neo4j, I immediately think of log4j and log4shell
March 6, 2025 at 8:05 AM
I'm not in the java ecosystem. Has the {x}4j branding suffered at all? Because whenever I hear, for example neo4j, I immediately think of log4j and log4shell
If you're trying to pitch to devs, drop the fucking buzzwords. At the very least know what the words actually mean. I see so many people who are new to the field who slap so much bullshit lingo onto their HN/Reddit post, and it just all falls apart under a tiny bit of scrutiny. All credibility gone
March 1, 2025 at 9:49 PM
If you're trying to pitch to devs, drop the fucking buzzwords. At the very least know what the words actually mean. I see so many people who are new to the field who slap so much bullshit lingo onto their HN/Reddit post, and it just all falls apart under a tiny bit of scrutiny. All credibility gone