<p>This episode of <strong>Ship It Weekly</strong> is about secrets, agents, risky defaults, and follow-up work that never gets done. Brian covers the CISA contractor GitHub leak involving AWS keys, internal docs, Terraform, Kubernetes, Argo CD, and CI/CD context, plus AWS DevOps Agent doing automated RCA across Datadog, Elasticsearch, CloudTrail, and EKS.</p><p>Brian also covers MS Copilot Studio computer-using agents, Claude Code in Bitbucket Agentic Pipelines, CVE-2026-46333 and Kubernetes seccomp defaults, GitHub OIDC for Dependabot, Java pods getting OOMKilled, LLM-generated SQL that can be wrong but still run, and why postmortem action items die without ownership.</p><p></p><p><strong>Sponsored by Guardsquare </strong><a target="_blank" rel="noopener noreferrer nofollow" href="https://hubs.ly/Q04fJgkJ0"><strong>https://hubs.ly/Q04fJgkJ0</strong></a></p><p></p><p><strong>Links</strong></p><p>CISA GitHub leak <a target="_blank" rel="noopener noreferrer nofollow" href="https://blog.gitguardian.com/how-we-got-a-cisa-github-leak-taken-down-in-26-hours/">https://blog.gitguardian.com/how-we-got-a-cisa-github-leak-taken-down-in-26-hours/</a></p><p>AWS DevOps Agent RCA <a target="_blank" rel="noopener noreferrer nofollow" href="https://aws.amazon.com/blogs/devops/automate-root-cause-analysis-across-datadog-and-elasticsearch-with-aws-devops-agent/">https://aws.amazon.com/blogs/devops/automate-root-cause-analysis-across-datadog-and-elasticsearch-with-aws-devops-agent/</a></p><p>Microsoft Copilot Studio computer-using agents <a target="_blank" rel="noopener noreferrer nofollow" href="https://techcommunity.microsoft.com/blog/copilot-studio-blog/computer-using-agents-in-microsoft-copilot-studio-are-now-generally-available/4519427">https://techcommunity.microsoft.com/blog/copilot-studio-blog/computer-using-agents-in-microsoft-copilot-studio-are-now-generally-available/4519427</a></p><p>Atlassian Agentic Pipelines with Claude Code <a target="_blank" rel="noopener noreferrer nofollow" href="https://support.atlassian.com/bitbucket-cloud/docs/agentic-pipelines/">https://support.atlassian.com/bitbucket-cloud/docs/agentic-pipelines/</a></p><p>CVE-2026-46333 <a target="_blank" rel="noopener noreferrer nofollow" href="https://nvd.nist.gov/vuln/detail/CVE-2026-46333">https://nvd.nist.gov/vuln/detail/CVE-2026-46333</a></p><p>Kubernetes seccomp <a target="_blank" rel="noopener noreferrer nofollow" href="https://kubernetes.io/docs/reference/node/seccomp/">https://kubernetes.io/docs/reference/node/seccomp/</a></p><p>GitHub OIDC for Dependabot and code scanning <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/changelog/2026-05-19-expanded-oidc-support-for-dependabot-and-code-scanning/">https://github.blog/changelog/2026-05-19-expanded-oidc-support-for-dependabot-and-code-scanning/</a></p><p>Java pods OOMKilled in Kubernetes <a target="_blank" rel="noopener noreferrer nofollow" href="https://dzone.com/articles/java-pod-oomkill-kubernetes">https://dzone.com/articles/java-pod-oomkill-kubernetes</a></p><p>LLM-generated SQL risks <a target="_blank" rel="noopener noreferrer nofollow" href="https://readyset.io/blog/why-llms-write-incorrect-sql-and-what-that-means-for-your-database">https://readyset.io/blog/why-llms-write-incorrect-sql-and-what-that-means-for-your-database</a></p><p>Postmortem action items <a target="_blank" rel="noopener noreferrer nofollow" href="https://incident.io/blog/why-do-post-mortem-action-items-fail-how-to-make-incident-follow-ups-actually-get-done">https://incident.io/blog/why-do-post-mortem-action-items-fail-how-to-make-incident-follow-ups-actually-get-done</a></p><p>On Call Brief <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.tellerstech.com/on-call-brief/2026-W21/">https://www.tellerstech.com/on-call-brief/2026-W21/</a></p><p>More episodes + show notes <a target="_blank" rel="noopener noreferrer nofollow" href="https://shipitweekly.fm/">https://shipitweekly.fm/</a></p>