今日已更新 166 条资讯 | 累计 20138 条内容
关于我们

标签:#vs

找到 129 篇相关文章

AI 资讯

Applying Checkov to Terraform as Code – A TFSEC Alternative

Static Application Security Testing (SAST) is a critical practice in modern DevSecOps. While tools like SonarQube, Snyk, and Veracode are popular, this article focuses on GitHub CodeQL – a semantic code analysis engine that treats code as a database. We will apply it to a vulnerable Java Spring Boot application to detect SQL Injection and Path Traversal. 🤔 Why CodeQL? Unlike pattern-based scanners, CodeQL builds a relational database of your code, including abstract syntax trees, control flow graphs, and data flow graphs. This allows it to track tainted data across functions, classes, and files, drastically reducing false positives. 🚨 Target Application (Vulnerable Java App) Let's look at a simple REST API with two vulnerable endpoints. File: UserController.java package com.demo.controller ; import com.demo.model.User ; import org.springframework.beans.factory.annotation.Autowired ; import org.springframework.jdbc.core.JdbcTemplate ; import org.springframework.web.bind.annotation.* ; import java.nio.file.Files ; import java.nio.file.Paths ; import java.util.List ; @RestController @RequestMapping ( "/api" ) public class UserController { @Autowired private JdbcTemplate jdbcTemplate ; // Vulnerability 1: SQL Injection @GetMapping ( "/users" ) public List < User > getUsers ( @RequestParam ( "id" ) String userId ) { String sql = "SELECT * FROM users WHERE id = " + userId ; // Dangerous concatenation return jdbcTemplate . query ( sql , ( rs , rowNum ) -> new User ( rs . getString ( "id" ), rs . getString ( "name" ))); } // Vulnerability 2: Path Traversal @GetMapping ( "/file" ) public String readFile ( @RequestParam ( "filename" ) String filename ) throws Exception { return new String ( Files . readAllBytes ( Paths . get ( "/var/data/" + filename ))); } } 🛠️ Installing and Configuring CodeQL CLI You can run CodeQL locally to analyze your code before pushing it to a repository. 1. Download CodeQL from GitHub releases: wget [ https://github.com/github/codeql-cli-binaries/re

2026-06-06 原文 →
开发者

Top 10 Non-Human Identity Security Tools and Platforms for 2026

TL;DR: Non-human identities (service accounts, API keys, workload identities, certificates, OAuth apps, machine-to-machine access) now outnumber humans over 1:1 in most cloud-native orgs. The biggest security risks are unmanaged lifecycle, overprivileged access, and exposed credentials across SDLC and cloud environments, not just secret storage. The best NHI security tools in 2026 fall into four major categories: Secrets Detection and Exposure Prevention NHI Lifecycle and Governance Platforms Machine Identity and Certificate Management Vault and Authorization Extensions Most enterprises require layered coverage across detection, governance, and lifecycle automation. Adopting this multi-layered strategy enables organizations not only to find leaks but also to close the structural gaps that allow them to occur. Why Non-Human Identities Are the Fastest-Growing Attack Surface in 2026 In 2026, attackers rarely try to " hack passwords ". Instead, they exploit the massive, often unmonitored web of non-human identities (NHIs) that power modern automation. They specifically look for hardcoded API keys, overprivileged service accounts, stale OAuth tokens, misconfigured workload identities, unrotated certificates, and shadow SaaS integrations that slip through the cracks of traditional security programs. This is a problem because machine identities far outnumber human users. However, most security programs rely on frameworks designed for human-centric access. IAM Strategy for CISOs: Securing Non-Human Identities Thankfully, top non-human identity protection tools help secure this critical attack surface. By understanding the categories of enterprise NHI security solutions, you can build a strategy that provides complete visibility and robust security controls across your entire infrastructure. What Do Non-Human Identities (NHIs) Include Today? Non-human identities are the digital identities used by machines, services, and applications to authenticate and communicate with other

2026-06-05 原文 →
AI 资讯

Microsoft MAI-Thinking-1 & MAI-Code-1-Flash: Developer Guide to 7 New MAI Models

Microsoft launched seven new in-house AI models at Build 2026 on June 2, 2026, marking the company's most significant push yet to build its own frontier AI stack independent of OpenAI. The centerpiece is MAI-Thinking-1, Microsoft's first large-scale reasoning model, built from scratch on clean commercially licensed data using a sparse Mixture of Experts architecture. Alongside it: MAI-Code-1-Flash, a 5-billion-parameter coding model that outperforms Claude Haiku 4.5 by 16 percentage points on SWE-Bench Pro while using 60% fewer tokens on complex tasks. This is the complete developer guide to all seven MAI models, their specs, benchmarks, deployment paths, and what they mean for the AI development ecosystem. Why Seven Models at Once? The strategic context matters. For three years, Microsoft's AI product surface — GitHub Copilot, Azure AI, Bing Chat, Microsoft 365 Copilot — ran almost entirely on OpenAI models. The Build 2026 announcement is Microsoft's public declaration that it is building a parallel, proprietary model stack. Every new MAI model is trained from scratch using "clean and appropriately licensed data, without distillation from third-party models" — language that directly addresses the intellectual property concerns that have accompanied third-party model licensing. The distribution strategy is equally deliberate. Microsoft is not routing MAI models exclusively through Azure. MAI-Thinking-1 and MAI-Code-1-Flash are available via Fireworks AI, Baseten, and OpenRouter — three infrastructure providers that collectively reach developers who explicitly do not want cloud vendor lock-in. This signals a platform-first posture: Microsoft wants MAI to become a model ecosystem, not just an Azure feature. MAI-Thinking-1: The Reasoning Flagship MAI-Thinking-1 is Microsoft's answer to Claude Opus 4.x and GPT-5.5 on the reasoning side of the model spectrum. The architecture is a 35-billion-parameter active / approximately 1-trillion-parameter total sparse Mixture of Ex

2026-06-03 原文 →
AI 资讯

O Paradoxo dos 70/30: A aceleração da IA aliada à experiência humana

Tenho aproveitado meu tempo sem trabalhar pra estudar, enfim a vida de quem trabalha com tecnologia né? E um dos meus maiores focos tem sido IA, seus usos, como ela entra e pode ser aplicada em áreas diferentes, e todas as novidades que saem todos os dias. Hoje vim compartilhar uma coisa bem legal que aprendi no curso AI-Native Engineering Foundations do Addy Osmani , o problema dos 70%. Existe um padrão claro que tenho observado na prática ao acompanhar dezenas de equipes de engenharia: a Inteligência Artificial resolve com impressionante eficiência 70% de quase qualquer tarefa técnica. Falo daquela camada previsível, repetitiva e baseada em padrões exaustivamente documentados na internet. Coisas como código boilerplate, arquivos de configuração, implementações de CRUDs simples, conversão de sintaxe entre linguagens e a escrita de testes unitários básicos. A IA já "viu" milhões de exemplos disso em repositórios públicos e consegue reproduzir o padrão em segundos. Para essa fatia do trabalho, ela é uma aceleradora fantástica. O grande problema, e o motivo pelo qual muitos projetos com IA começam bem mas falham no meio, é que os outros 30% são justamente os que sustentam o software. É nesses 30% que entram as decisões que inteligência nenhuma consegue tomar sozinha: Contexto de Negócio: A IA não sabe por que aquela feature está sendo construída ou como ela impacta o usuário final. Arquitetura e Manutenibilidade: Escrever código que funciona hoje é fácil; escrever código que outra pessoa consegue alterar daqui a seis meses sem quebrar o sistema é outra história. Casos de Borda e Segurança: A IA tende a gerar o "caminho feliz". Tratar falhas de concorrência, vazamento de memória e vulnerabilidades específicas do seu ecossistema exige malícia técnica. Essas questões não se resolvem apenas digitando linhas de código, elas exigem contexto, experiência, histórico de dores passadas e, acima de tudo, julgamento humano. E é exatamente aqui que a IA ainda não entrega. O Parado

2026-06-02 原文 →
AI 资讯

Arazzo Visualizer: Run API Workflows in VS Code

Most apps don't just call one API endpoint. They call a whole chain of them. For example, you might log in, get a token, and then pass that token to another service. Tracking these multi-step chains can get messy quickly. To help fix this, the OpenAPI Initiative created the Arazzo Specification . It gives us a standard way to link different endpoints into clear workflows. But writing these workflow files by hand in a regular text editor is tough. It is very easy to lose track of how data moves from one step to the next. That is why I built Arazzo Visualizer for VS Code. It is a free, open-source extension that makes the Arazzo spec visual and easy to use. Live Interactive Graphs The extension reads your workflow files and turns them into interactive maps on the fly. See Data Flow: Look at exactly how data moves between steps. Catch Errors Early: Spot broken paths before you even run your code. Clean Layouts: Navigate large workflows without getting lost in thousands of lines of text. Built-In Workflow Runner Seeing the map is great, but testing it is even better. The tool has a step-by-step runner built right into your editor. Run a single step or execute the whole chain. See real-time data payloads and HTTP headers. Watch requests happen live to pinpoint bugs fast. Give it a Try The project is fully open source, and you can grab it or check out the code using the links below: Download: Install it directly from the VS Code Marketplace . Source Code: Check out the repository, report bugs, or contribute on GitHub . Deep Dive: Read my full technical breakdown and design on Medium . If you are working with API chains, I would love for you to try it out. Drop your feedback in the comments below! Note: Arazzo v1.1.0 is out with official AsyncAPI support. I am currently updating the VS Code extension to support these new features. Stay tuned for future updates!

2026-05-31 原文 →
AI 资讯

I made my Markdown Editor "AI-Ready": MarkSmith v0.3.0

Hey DEV community! 👋 A few days ago, I built a VS Code extension called Marksmith to fix the most annoying parts of writing Markdown (like pasting Excel tables and syncing preview scrolls). But recently, I noticed a huge shift in my own workflow: Half the Markdown I write isn't for humans anymore. It’s being fed directly into Claude, ChatGPT, or Gemini as prompts and context. When you're constantly stuffing docs into context windows, two things happen: You worry about hitting context limits (or racking up API costs). You waste time dealing with AI "hallucinations" when you ask it to generate docs back for you. So, for the v0.3.0 release , I decided to pivot Marksmith into something new: An Agent AI-Ready Markdown Toolkit. 🚀 Here is what I added to survive the AI era: 📊 1. Real-time LLM Token Estimator Instead of just counting words, Marksmith’s Document X-Ray sidebar now includes a Heuristic Token Estimator for GPT, Claude, and Gemini. Before you copy-paste that massive README into your AI assistant, you can see exactly how "heavy" it is in terms of tokens right inside your editor. No more guessing if you're about to blow past your context limit! ✂️ 2. Copy Optimized for AI (1-Click Minify) Formatting is great for humans, but LLMs don't need all those extra spaces, perfectly aligned markdown tables, or empty lines. I added a CodeLens button at the top of your files. Click it, and Marksmith instantly minifies your Markdown (compresses tables, strips blanks) and copies it to your clipboard. Result: You save significant tokens and API costs without ruining your beautiful local .md file. 🕵️ 3. Hallucination Quick Fix Ever ask an AI to write documentation, and it leaves behind a bunch of [TODO: Insert link here] or makes up a fake local image path? Marksmith now automatically scans your document and puts a red squiggly line under AI placeholders and broken local links . Click the 💡 icon, and you can instantly strip them out or fix them. It acts as a safety net before you

2026-05-29 原文 →
AI 资讯

Handling Localization in PCF Components: A Practical Walkthrough

When you build a PowerApps Component Framework (PCF) component that will be used across multiple geographies, need to serve labels, button captions, validation messages, and tooltips in the user's preferred language. PCF has a built-in answer based on .resx resource files, the same format used by .NET applications. The mechanism is elegant in production — but surprisingly tricky during local development. This walkthrough takes you through the full setup, step by step, and then explains a problem that arises while locally debugging your PCF. Step 1 — Create the strings folder and your first .resx file PCF expects your localized strings to live in a folder (the conventional name is strings ) inside your component directory. Each language gets its own file, named with the pattern: <ComponentName>.<LCID>.resx The <LCID> part is the numeric Locale ID , not the textual code ( en-US , it-IT ). The framework relies on this naming convention to identify which file to load for a given user. Common LCIDs: Language LCID English (en-US) 1033 Italian (it-IT) 1040 German (de-DE) 1031 French (fr-FR) 1036 Spanish (es-ES) 3082 Japanese (ja-JP) 1041 Chinese Simplified (zh-CN) 2052 Portuguese (pt-BR) 1046 For a component called EquipmentGrid , the structure looks like this: EquipmentGrid/ ├── ControlManifest.Input.xml ├── index.ts └── strings/ ├── EquipmentGrid.1033.resx ├── EquipmentGrid.1040.resx └── EquipmentGrid.1031.resx Tip: Always include 1033.resx (English). The PCF runtime falls back to the first <resx> declared in the manifest when the user's preferred language isn't available, and English is the safest default. Step 2 — Author the resource file content A .resx file is just XML. Here's a minimal Italian version ( EquipmentGrid.1040.resx ): <?xml version="1.0" encoding="utf-8"?> <root> <resheader name= "resmimetype" > <value> text/microsoft-resx </value> </resheader> <resheader name= "version" > <value> 2.0 </value> </resheader> <resheader name= "reader" > <value> System.Resou

2026-05-28 原文 →