PowerShell + DevOps Global Summit 2026

DevSecOps tries to make DevOps teams aware about integrating security into each and every step of the process. But this is complex, with a need to integrate a whole set of tools. But no more, thanks to GitHub Advanced Security, baked into your trusted DevOps environment. In this session, Peter will guide you through a full range of built-in GitHub security features, ranging from branch policies over code scanning, security vulnerability scanning with Dependabot and CodeQL, how to enable it, how to use it and how to interpret the reporting.

Many PowerShell authors think of their work as automation rather than software. But once a script is versioned, shared, or published, it becomes part of a supply chain. The same practical guardrails that protect applications can protect automation too, without turning your workflow upside down.

Most supply chain security conversations start at the registry. Signing and distribution controls matter, but they assume the artifact being published is already trustworthy. This session focuses on what happens earlier: provenance before publish.

In Part 1, we will use GitHub Actions with open source tools such as PSScriptAnalyzer, Semgrep, Syft, and Grype to build a pipeline that scans for vulnerabilities, detects risky behavior, and surfaces findings directly in pull requests. We'll also touch on integrating with enterprise SCA and cloud security platforms, for ongoing monitoring.

In Part 2, we apply the same approach to Chocolatey packaging workflows, validating naming, enforcing checksums, analyzing install scripts, and generating SBOMs for embedded OSS binaries before a package reaches a repository.

You will leave with forkable GitHub Actions and a practical model for securing supply chains from the pipeline out. You do not need a security background to follow along.