PowerShell + DevOps Global Summit 2026

Many PowerShell authors think of their work as automation rather than software. But once a script is versioned, shared, or published, it becomes part of a supply chain. The same practical guardrails that protect applications can protect automation too, without turning your workflow upside down.

Most supply chain security conversations start at the registry. Signing and distribution controls matter, but they assume the artifact being published is already trustworthy. This session focuses on what happens earlier: provenance before publish.

In Part 1, we will use GitHub Actions with open source tools such as PSScriptAnalyzer, Semgrep, Syft, and Grype to build a pipeline that scans for vulnerabilities, detects risky behavior, and surfaces findings directly in pull requests. We'll also touch on integrating with enterprise SCA and cloud security platforms, for ongoing monitoring.

In Part 2, we apply the same approach to Chocolatey packaging workflows, validating naming, enforcing checksums, analyzing install scripts, and generating SBOMs for embedded OSS binaries before a package reaches a repository.

You will leave with forkable GitHub Actions and a practical model for securing supply chains from the pipeline out. You do not need a security background to follow along.