Skip to content

intel: appsec community updates 2026-03-29#7

Open
kamalsrini wants to merge 1 commit into
mainfrom
intel/appsec-community-2026-03-29
Open

intel: appsec community updates 2026-03-29#7
kamalsrini wants to merge 1 commit into
mainfrom
intel/appsec-community-2026-03-29

Conversation

@kamalsrini

@kamalsrini kamalsrini commented Mar 29, 2026

Copy link
Copy Markdown
Contributor

Automated Skill Updates — appsec domain

Source: communityfeedbackplan.md (2026-03-28)
Research: ArXiv API rate-limited — no research findings this week.

dependency-scanning v1.0.2

  • Shift-left / pre-install scanning section added (Community Improvement 2, HIGH)
    • Pre-install checks before npm install / pip install (not just post-install CI)
    • IDE-level enforcement as earliest detection point
    • GlassWorm campaign documented as install-time attack pattern
    • Layered detection model: IDE → pre-install → CI → deploy
  • Vendored native library false negatives (ArXiv 2603.18693): scanner blind spots for bundled C/C++ deps in wheels and Go static builds
  • MCP Server Package Scanning (from prior run, included here): fork confusion vs typosquatting distinction, iflow-mcp campaign, SLSA alignment for MCP packages

secure-code-review v1.0.1

  • LLM confirmation bias warning added (Expert Correction 1, HIGH)
    • Mitropoulos et al., ArXiv 2603.18740 — empirical study
    • Warning: do not use LLM-only review as a supply-chain gate
    • LLM confirmation bias is exploitable in adversarial CI/CD scenarios
  • Kysely type-safe ORM raw escape SQLi (CVE-2026-32763, CVSS 8.2)

api-security v1.0.1

owasp-top-10-web v1.0.2

Community Signal

  • 1 human approver: dilbert5115 (shift-left scanning question in #appsec)
  • ArXiv peer-reviewed evidence: LLM bias correction (2603.18740)
  • CVE-backed: api-security (CVE-2026-22733), owasp-top-10-web (CVE-2026-32763)

No dissent observed on any of these changes.

Note on file sizes

  • secure-code-review (569 lines) and owasp-top-10-web (716 lines) exceed the 500-line guideline. Reference content should be migrated to reference.md files in a follow-up PR.

Do not merge without human review. See CONTRIBUTING.md.

intel: update appsec skills from community feedback 2026-03-29
e56ce1e 
dependency-scanning v1.0.2: shift-left/pre-install scanning, GlassWorm pattern,
  vendored native lib false negatives (ArXiv 2603.18693), MCP server packages
secure-code-review v1.0.1: LLM confirmation bias warning (ArXiv 2603.18740),
  Kysely/type-safe ORM raw escape SQLi note (CVE-2026-32763)
api-security v1.0.1: Spring Boot Actuator endpoint exposure (CVE-2026-22733, CVSS 8.2)
owasp-top-10-web v1.0.2: type-safe ORM injection vectors (CVE-2026-32763, CVSS 8.2)

Sources: communityfeedbackplan.md 2026-03-28
Community signal: dilbert5115 (shift-left), ArXiv peer review (LLM bias), CVE-backed
This was referenced Jun 3, 2026
Open
Open
Open
Open
Open
Open
@RanuK12 RanuK12 mentioned this pull request Jun 6, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kamalsrini