Episodes
Episode 4Thu, May 28, 2026

Ep 4 - GitLab AI Workflow Patching, Docker Runtime Mitigations, and Agent Security Guardrails

Seven-day DevSecOps briefing across GitLab, Harness, GKE, AKS, Docker, Kubernetes operations, Gitea registry risk, and agent security tooling

GitLabHarnessKubernetesDockerGKESupply ChainAI
On this episode
  1. Highlights & Key Takeaways
  2. 🧰 Tool-by-Tool Briefing
  3. 📰 Industry News
  4. ⚙️ Fun Tools and Reads

Highlights & Key Takeaways

🧰 Tool-by-Tool Briefing

Quick Update: This refresh focuses on May 21 through May 28, 2026. The highest-signal items are GitLab's May 27 security patch, Harness security and GitOps release-note updates, GKE channel movement into newer 1.36 builds, AKS 1.36 preview planning, Docker's Copy Fail runtime mitigation, Gitea private registry exposure, and a fast-moving set of agent security controls around Codex, Claude Code, and Docker Sandboxes.

GitLab

  • Release / Platform: GitLab published 19.0.1 / 18.11.4 / 18.10.7 on May 27, 2026 with important bug and security fixes for self-managed GitLab. GitLab says GitLab.com is already patched, while self-managed teams should upgrade immediately. (GitLab patch)
  • Security / Compliance: CVE-2026-4868 is High severity, CVSS 8.2, and affects GitLab EE 18.8 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1. Mitigation is to upgrade to 19.0.1, 18.11.4, or 18.10.7 and review Duo AI workflow runner permissions after patching. (GitLab patch)
  • AI / Automation: The vulnerability involves Duo AI workflow runners and improper user identity resolution under certain conditions. This is exactly why agent identity, audit trails, and "who did the workflow run as?" checks need to be part of AI rollout plans. (GitLab patch)
  • Developer Experience: GitLab says these versions do not include new migrations and should not require downtime for multi-node deployments. Omnibus updates can still stop, reconfigure, and restart services unless your update process is tuned for that behavior. (GitLab patch)
  • Action Items: Put the patch in the next maintenance window, validate runners and Duo workflows afterward, and make sure agentic workflow permissions are reviewed like service-account permissions.

Harness

  • Release / Platform: Harness release summaries updated through May 26-27, 2026 include Platform Alerts, service-account token event alerts, Delegate Google Cloud OIDC support for JDBC connectors, and CD/GitOps updates for AWS GovCloud OIDC, Azure Container Apps, WinRM session pooling, and GitOps agent fixes. (Harness release notes, Harness CD/GitOps release notes)
  • Security / Compliance: Harness CI release notes from May 21, 2026 added network egress allowlisting for Harness Cloud build VMs, restored SSH algorithm support for FIPS-compliant Git Clone steps, and replaced end-of-life components in build-and-push plugins and Git runner images. That is practical compliance work for regulated CI pipelines. (Harness release notes)
  • AI / Automation: Harness Supply Chain Security release notes added intelligent remediation for open-source risk, custom cdxgen flags for SBOM generation, keyless signing and verification across major cloud providers, and provenance for non-container artifacts such as Java packages, Helm charts, and native binaries. This is directly relevant to AI-assisted dependency churn and artifact trust. (Harness release notes)
  • Developer Experience: GitOps Service 1.57.0 and GitOps Agent 0.117.0 include fixes for duplicate ArgoCD project mappings, broken repository relinking after app recreation, empty repository URLs in multi-source GitOps apps, and truncated manifest display. These are small but real fixes for operators living in GitOps screens every day. (Harness CD/GitOps release notes)
  • Action Items: Review Harness CI egress allowlists, validate FIPS runner behavior, test AWS GovCloud OIDC routing, and pilot SBOM/provenance/keyless signing on one non-production artifact flow before broad rollout.

GKE

  • Release / Platform: GKE posted 2026-R20 version updates on May 21, 2026. Rapid channel now includes 1.36.0-gke.2253000, and Regular channel added 1.35.3-gke.1389002 for new clusters and manual control-plane or node upgrades. (GKE release notes)
  • Security / Compliance: None this week from the release note. The compliance angle is release-channel evidence: record cluster channel, control-plane version, node version, and image version before and after each upgrade.
  • AI / Automation: None this week. The automation opportunity is policy-driven upgrade readiness: flag clusters moving into Rapid or Regular 1.36 paths before add-ons, admission policies, and workloads are validated.
  • Developer Experience: Rollouts can take multiple days across Google Cloud zones, so engineers may see version availability differ by region. Do not promise a uniform upgrade date until the target version is actually visible in the cluster's zone or region. (GKE release notes)
  • Action Items: Check clusters enrolled in Rapid and Regular, confirm whether 1.36.0-gke.2253000 changes any test plans, and publish the expected upgrade window by environment.

AKS

  • Release / Platform: Microsoft documents Kubernetes 1.36 as AKS preview in May 2026, GA in June 2026, and supported through June 2027, with LTS through June 2028. That makes this the right week to start upgrade-readiness checks, not the week to blindly move production. (AKS supported versions)
  • Security / Compliance: AKS reminds operators to use the latest patch release for their supported minor version and to track patch availability through the AKS release status page. Regulated teams should capture this as evidence that patch currency is a managed control, not a best-effort habit. (AKS supported versions)
  • AI / Automation: None this week. Upgrade bots should check Kubernetes version, OS SKU, Windows node pool compatibility, and add-on versions before opening change requests.
  • Developer Experience: AKS uses gradual region deployment, so a new release can take up to 10 business days to become available everywhere. That matters for multi-region teams trying to keep cluster versions aligned. (AKS supported versions)
  • Action Items: Inventory clusters by minor version, identify which environments can test 1.36 preview, and add OS and add-on compatibility checks to upgrade automation.

Docker

  • Release / Platform: Docker published guidance on May 27, 2026 for mitigating CVE-2026-31431, also known as Copy Fail, in Docker Engine. Docker Engine v29.4.3 or later adds updated seccomp, AppArmor, and SELinux defaults to reduce container exposure on unpatched Linux kernels. (Docker Copy Fail)
  • Security / Compliance: CVE-2026-31431 is High severity, CVSS 7.8, affecting the Linux kernel's algif_aead path. Mitigation is to patch the host kernel; if that is not available, Docker recommends upgrading Docker Engine to v29.4.3 or later and using module or seccomp mitigations where appropriate. (NVD CVE-2026-31431, Docker Copy Fail)
  • AI / Automation: Docker's broader May agent security work is relevant here: AI coding agents and untrusted workloads raise the value of isolated execution, network policy, and hardened runtime defaults. (Docker autonomous workloads)
  • Developer Experience: Docker notes that the first seccomp-only mitigation in v29.4.2 broke some 32-bit networking paths, and v29.4.3 moved enforcement into AppArmor and SELinux for better compatibility. Teams should test local development images, CI jobs, and legacy build containers before fleet rollout. (Docker Copy Fail)
  • Action Items: Patch kernels, upgrade Docker Engine to v29.4.3+, confirm AppArmor or SELinux is actually enforcing on Linux hosts, and prioritize CI runners where untrusted code executes.

Kubernetes Runtime Operations

  • Release / Platform: Kubernetes 1.36 remains the active upstream release line, and managed providers are starting to surface it in preview or rapid channels. The useful operational thread this week is not a new API; it is runtime hardening, upgrade evidence, and workload isolation. (Kubernetes 1.36, GKE release notes, AKS supported versions)
  • Security / Compliance: Copy Fail shows why Kubernetes node security cannot stop at pod YAML. Kernel patching, runtime defaults, seccomp, AppArmor, SELinux, and node image rotation all belong in the same compliance story. (NVD CVE-2026-31431, Docker Copy Fail)
  • AI / Automation: If agents can run builds, tests, or cluster diagnostics, treat them as untrusted autonomous workloads until proven otherwise. They need constrained credentials, network boundaries, and disposable execution environments. (Docker autonomous workloads)
  • Developer Experience: Developers will feel runtime hardening through failed syscalls, blocked network paths, and stricter sandbox defaults. That is manageable if platform teams publish the policy change and a debug path before enforcement.
  • Action Items: Verify node kernel patch status, standardize RuntimeDefault seccomp, document LSM coverage by distro, and add CI runner nodes to the same patch-priority queue as production workers.

Gitea / Self-Hosted Git Registries

  • Release / Platform: Gitea 1.26.2 was published on May 20, 2026, and security reporting this week tied it to CVE-2026-27771, a container registry access-control flaw affecting versions before 1.26.2. (Gitea releases, Gitea CVE report)
  • Security / Compliance: CVE-2026-27771 is reported as High severity, CVSS 8.2, allowing unauthenticated remote users to pull container images marked private from affected self-hosted Gitea instances. Mitigation is to upgrade to Gitea 1.26.2 or later, rotate any secrets that may have been embedded in images, and audit registry access logs. (Gitea CVE report, The Hacker News)
  • AI / Automation: The discovery story is another example of autonomous security testing finding software supply-chain weaknesses. That is useful, but the operational lesson is still basic: private registry controls need external validation, not just UI trust.
  • Developer Experience: Teams using Gitea as a lightweight private registry may need emergency image rebuilds and secret rotation. Expect this to interrupt normal release flow if internal images contained deploy tokens, config files, or environment-specific credentials.
  • Action Items: Identify any self-hosted Gitea or Forgejo registries, upgrade immediately, pull-test private images anonymously from outside the trusted network, rotate exposed secrets, and decide whether registry functions should move behind a dedicated artifact platform.

OpenAI Codex

  • Release / Platform: OpenAI's May 21, 2026 ChatGPT release notes added Codex Appshots, generally available Goal mode across the app, IDE extension, and CLI, browser annotations, and locked computer use for eligible Mac Computer Use users. (ChatGPT release notes)
  • Security / Compliance: OpenAI's Codex safety write-up emphasizes sandboxing, approval policies, managed configs, constrained network access, and agent-native logs. For regulated teams, those controls should be table stakes before Codex touches infrastructure repositories. (Running Codex safely)
  • AI / Automation: Goal mode and locked use make longer-running agent work easier. They also increase the need for clear stop points: agents should not cross from code editing into infrastructure mutation without approval.
  • Developer Experience: Appshots and browser annotations should improve frontend review loops because the agent can reason from visible UI state, not only source files. That is useful, but visual context still needs human review before merge.
  • Action Items: Define which repos allow long-running Codex tasks, require MFA or SSO, keep network access constrained, and make approvals mandatory for destructive commands, cloud changes, and production-adjacent credentials.

Anthropic Claude Code / Claude Security

  • Release / Platform: Anthropic published a Project Glasswing update on May 22, 2026, saying Mythos Preview had scanned more than 1,000 open-source projects and produced high- or critical-rated findings that independent security firms assessed. (Anthropic Glasswing)
  • Security / Compliance: Anthropic's Claude plugin catalog now lists a Security Guidance plugin for Claude Code that warns on patterns such as unsafe exec, eval, GitHub Actions command injection, XSS sinks, Python pickle deserialization, and os.system usage. Treat this as review assistance, not a replacement for SAST and human review. (Claude Security Guidance plugin)
  • AI / Automation: AI-assisted vulnerability discovery is moving from lab demo to operational workflow. The bottleneck shifts to triage, patch review, coordinated disclosure, and proving that generated fixes do not introduce new risk.
  • Developer Experience: Security hooks inside the coding agent can catch issues earlier, while engineers are still editing. That is a better place to intervene than after a quality gate fails at the end of CI.
  • Action Items: Pilot security-assist plugins on non-production repos, compare findings against SonarQube and SCA tools, require human review of generated fixes, and track false positives so teams do not tune the warnings out.

Docker Sandboxes

  • Release / Platform: Docker Sandboxes 0.30.0 shipped on May 19, 2026 with non-interactive Docker Hub login for scripted workflows, auto-stop grace periods, idempotent startup hooks, and several network and state-recovery fixes. (Docker Sandboxes release notes)
  • Security / Compliance: Docker Sandboxes 0.29.0 introduced per-sandbox network policies, including allowed and denied domains. That is the right shape for agent execution because "can access the internet" is too broad for regulated developer workflows. (Docker Sandboxes release notes)
  • AI / Automation: Docker's May 26 write-up frames AI coding agents as untrusted autonomous workloads that need stronger isolation. This maps directly to Codex, Claude Code, Devin, and any local agent that can run shell commands. (Docker autonomous workloads)
  • Developer Experience: Sandboxes add setup and policy friction, but they reduce the blast radius of agent mistakes. The DX win is letting agents work without giving them the developer's full machine by default.
  • Action Items: Test Docker Sandboxes with one coding-agent workflow, define allowed network destinations, keep secrets out of sandbox images, and log all agent filesystem and network access during the pilot.

📰 Industry News

Quick Update: This section pulls from the Episode 4 newsletter folder and current community/security signals. Treat these as podcast prompts and workflow lessons, not vendor release facts unless linked to a primary source above.

  • Ingress migration needs a framework, not a panic: The Episode 4 newsletter folder included a Kubernetes migration framework piece based on Ingress-NGINX lessons. Pair that with the broader move toward Gateway API and RKE2's Traefik direction: teams need inventory, compatibility tests, rollback plans, and app-owner communication before switching ingress controllers.
  • Release orchestration is becoming audit infrastructure: Harness introduced Release Orchestration in May as a way to model releases with phases, activities, approvals, release groups, calendars, and audit trails. For regulated teams, that is the interesting part: release coordination evidence should not live only in spreadsheets and chat threads. (Harness Release Orchestration)
  • Local platform engineering is getting more serious: The newsletter folder also highlighted local platform engineering with vind, Sveltos, and Argo CD. That is useful because teams need realistic GitOps and cluster-change rehearsal without burning shared environments for every test.
  • Private registries deserve external verification: The Gitea registry issue is a clean reminder that "private" in the UI is not proof. For every artifact platform, schedule unauthenticated pull tests, token-boundary checks, and audit-log reviews.
  • Agent security is converging around the same controls: Codex managed configs, Claude Code security hooks, Docker Sandboxes, and Docker AI Governance all point in one direction: constrain filesystem, network, credentials, and approval paths before giving agents real work.
  • Runtime CVEs collapse platform boundaries: Copy Fail is a Linux kernel issue, a Docker issue, a Kubernetes node issue, and a CI runner issue all at once. Platform teams should route these through one runtime-risk process instead of separate tool queues.
  • AI vulnerability discovery will stress patch operations: Anthropic's Glasswing update is less important as a scorecard and more important as a capacity warning. If models find issues faster, teams need better intake, deduplication, ownership, disclosure, and remediation evidence.
  • GKE and AKS 1.36 movement is a planning signal: Managed Kubernetes is beginning to expose 1.36 through rapid or preview paths. Use that to test admission policy, user namespaces, PSI metrics, and runtime settings before production upgrade pressure arrives.
  • Self-hosted Git platform choices affect supply-chain posture: GitLab, Gitea, Forgejo, and registry side features are now part of the same risk discussion. Decide what belongs in a full DevSecOps platform and what belongs in a dedicated artifact manager.

⚙️ Fun Tools and Reads

Incogni: Personal data removal service for addresses, phone numbers, and brokered profile data. Useful privacy hygiene, especially for people with public engineering or security roles. https://www.incogni.com/

Sesame: Personal agents that think while talking, now on iOS. Worth watching as voice agents move from novelty toward real assistant workflows. https://www.sesame.com/

Harvey: AI assistant for legal work, available on Android and via email. Interesting for regulated teams because legal and compliance workflows are becoming agent-assisted too. https://www.harvey.ai/

Runway: Image and video generation now exposed directly through assistant workflows via MCP-style integrations. Useful for training clips, demos, and visual explainers after human review. https://runwayml.com/

Pave: No-code app generation from a plain-language app description. Treat it as a prototyping tool, then review architecture, auth, data handling, and hosting before using anything serious. https://pave.new/

Computer: Perplexity's cloud-based agent for operating web workflows such as Shopify store tasks. The governance angle is permissions, account scope, and audit logs for browser agents. https://www.perplexity.ai/

Claude Code Security Guidance: Anthropic's Claude Code plugin that warns on common vulnerability patterns while code is being edited. Useful as an early guardrail, not as a substitute for review. (Claude Security Guidance plugin) https://claude.com/plugins/security-guidance

Parse 2.0: Extend AI document parsing API built for agent workflows. Interesting for teams turning PDFs, tickets, contracts, and diagrams into structured automation inputs. https://www.extend.ai/

Codex Locked Use: Codex can keep working remotely after a Mac locks for eligible users. Great for long tasks, but approval policy and audit logs matter more when the human is not actively watching. (ChatGPT release notes) https://openai.com/codex/

Manus Projects on Mobile: Mobile project workflows for an agentic assistant. Track it as another signal that agent supervision is spreading beyond the desktop IDE. https://manus.im/

Polsia: AI co-founder concept that plans, builds, and operates businesses around the clock. Fun to evaluate as an extreme example of always-on agent delegation. https://polsia.com/

Project Glasswing: Anthropic's update on AI-assisted vulnerability discovery across open-source projects. Good discussion fuel for how fast triage, disclosure, and patch workflows need to become. (Anthropic Glasswing) https://www.anthropic.com/research/glasswing-initial-update