Skip to main content

12 posts tagged with "Security"

Security-related changes

View All Tags

atmos git clone Refuses Unsafe Fork Checkouts by Default

· 2 min read
Erik Osterman
Founder @ Cloud Posse

atmos git clone is Atmos's native replacement for actions/checkout. Mirroring the actions/checkout v7 hardening, it now refuses by default to clone untrusted fork content under the elevated pull_request_target and workflow_run events — the classic "pwn request" where fork code would run with your repository's secrets. A grep-able opt-in is available for the rare case you genuinely need it.

AWS Security Findings Now Export to SARIF and OCSF

· 3 min read
Erik Osterman
Founder @ Cloud Posse

The atmos aws security analyze command is the native Atmos command for turning AWS security findings into infrastructure-aware remediation guidance. It reads findings from AWS Security Hub and Amazon Inspector, including Security Hub product findings from services such as AWS Config, GuardDuty, Macie, and IAM Access Analyzer, then uses Atmos component tags and mapping heuristics to connect affected resources back to the stacks and components that manage them.

Those mappings make findings more actionable: instead of stopping at an AWS resource ARN, Atmos can show the owning stack, component path, severity, source service, and remediation context. With new SARIF 2.1.0 and OCSF 1.4.0 output, those findings can now flow into code scanning, SIEM, governance, risk, and compliance workflows without a translation layer.

Introducing atmos auth shell: Isolated Shell Sessions for Secure Multi-Identity Workflows

· 7 min read
Andriy Knysh
Principal Architect @ Cloud Posse

We're excited to introduce atmos auth shell, a new command that makes working with multiple cloud identities more secure.

This command launches isolated shell sessions scoped to specific cloud identities. Think of it like aws-vault exec, but for all your cloud identities managed by Atmos—AWS, Azure, GCP, GitHub, SAML, and more.

When you exit the shell, you return to your parent shell where those credentials were never present. It's a simple pattern that helps prevent credential leakage and reduces the risk of running commands against the wrong environment.