PowerShell + DevOps Global Summit 2026

DevSecOps tries to make DevOps teams aware about integrating security into each and every step of the process. But this is complex, with a need to integrate a whole set of tools. But no more, thanks to GitHub Advanced Security, baked into your trusted DevOps environment. In this session, Peter will guide you through a full range of built-in GitHub security features, ranging from branch policies over code scanning, security vulnerability scanning with Dependabot and CodeQL, how to enable it, how to use it and how to interpret the reporting.

Many PowerShell authors think of their work as automation rather than software. But once a script is versioned, shared, or published, it becomes part of a supply chain. The same practical guardrails that protect applications can protect automation too, without turning your workflow upside down.

Most supply chain security conversations start at the registry. Signing and distribution controls matter, but they assume the artifact being published is already trustworthy. This session focuses on what happens earlier: provenance before publish.

In Part 1, we will use GitHub Actions with open source tools such as PSScriptAnalyzer, Semgrep, Syft, and Grype to build a pipeline that scans for vulnerabilities, detects risky behavior, and surfaces findings directly in pull requests. We'll also touch on integrating with enterprise SCA and cloud security platforms, for ongoing monitoring.

In Part 2, we apply the same approach to Chocolatey packaging workflows, validating naming, enforcing checksums, analyzing install scripts, and generating SBOMs for embedded OSS binaries before a package reaches a repository.

You will leave with forkable GitHub Actions and a practical model for securing supply chains from the pipeline out. You do not need a security background to follow along.

“Set it and forget it” doesn’t cut it for cloud security—you need proof that controls are consistently enforced. Azure Policy provides that enforcement layer, but managing definitions, initiatives, and assignments by hand quickly becomes a mess.This session shows how to operationalize Azure Policy with Terraform, so your baselines are versioned, reviewable, and consistently applied across subscriptions and management groups. Beyond simply deploying policy, you’ll see how treating policies as code unlocks change control, peer review, and CI/CD approval workflows—making compliance part of your release process instead of an afterthought.We’ll start with a quick primer on Azure Policy for anyone new to its concepts (definitions, initiatives, assignments, exemptions, and remediations), then move into practical patterns and live demos:• Author and organize policy definitions and initiatives• Parameterize assignments per scope, attach non-compliance messages, and configure deployIfNotExists remediations with the right role assignments• Manage exemptions cleanly (temporary, scoped, time-boxed) while avoiding “exemption sprawl”• Integrate policy into CI/CD: pull requests for changes, approval gates for rollout, and drift detection for audits• End-to-end demo: define an initiative, assign it at a management group, exempt a subscription for a pilot, and kick off remediations — all in TerraformBy the end, you’ll know how to evolve your Azure Policy workflows to be repeatable, auditable, and code-driven that fit neatly into modern DevOps practices.

Stop guessing at custom cloud roles and start deriving them from data. In dynamic environments like Azure, permission sprawl is a significant risk, where users and services accumulate excessive privileges in overly broad roles, such as "Contributor." This creates a massive, unnecessary attack surface that manual audits can't keep pace with. This session introduces a practical, PowerShell-driven pipeline that transforms this guesswork into a repeatable, data-driven security practice. We will demonstrate how to turn raw cloud activity logs into precise, least-privilege RBAC roles, all using code that works on both PowerShell 7 and Windows PowerShell 5.1. We will walk through the entire workflow: ingesting and shaping data into a user-action matrix, applying K-Means clustering to discover natural usage patterns, and using our custom "auto-k" algorithm to determine the optimal number of roles intelligently. This technique prevents both unmanageable "role explosion" and overly permissive mega-roles, producing a ready-to-deploy JSON role definition that reflects how your users *actually* work. To accelerate the final steps, we also showcase a strictly optional AI assistant that suggests business-friendly role names and descriptions—all while keeping a human firmly in the loop. You will leave with a blueprint to shrink your organization's attack surface and all the code needed to adapt this methodology for Azure, AWS, and Google Cloud.

NuGet and Chocolatey are a lot more tasty than you might think.

For example, did you know we can turn any package into a web server? That's pretty sweet! We can also scan them to see what's inside without it harming us (also pretty sweet).

In this talk, we'll go over some of the overpowered things you can do with Open Packages like NuGet, Chocolatey, and PowerShell Gallery Modules.