When the axios npm library was compromised in March 2026, it reminded me that the dependencies we trust every day can turn on us without warning. That got me thinking – what about the extensions running in my IDE? They auto-update silently, they have access to my filesystem and credentials, and I never review the changes. If you’ve ever updated a tool without a second thought, this post is for you.

Rootless Docker sounds like the perfect answer to container security – no more root daemon, no more worry. If you look at how it actually works under the hood, the story is more nuanced than most teams realize. In this post, I walk through user namespaces and UID mapping, dig into why kernel developers have concerns about the attack surface, and explain what you’re actually giving up when you enable rootless and set seccomp=unconfined and apparmor=unconfined.

Ever wondered what’s really happening when Docker runs your containers? It turns out the daemon needs some serious privileges to do its job. I wrote this post to trace the path from the Docker daemon through the Unix socket, image builds, and BuildKit – showing you exactly where root access comes into play and why every step depends on it.

Ever wondered why Docker commands need sudo or docker group membership? The answer is baked into the Linux kernel itself. I wrote this post to peel back the curtain on what a container actually is. You’ll recreate container-style process isolation from scratch using standard command-line tools – building your own namespaces and cgroups by hand to see exactly what’s happening under the hood.

If you run your jobs in containers or use service containers, you may spend a lot of time waiting. If those images are outside of your runner environment, then you may also be seeing rising egress charges from your cloud provider. Let’s change that. Learn how pre-caching Docker images in custom runner images can significantly reduce workflow execution time by eliminating redundant layer downloads.

When the Shai-Hulud v2 supply chain attack hit last week, I watched thousands of developers scramble to check their systems. Mine? I was able to mark it as safe. This was because I’d already layered in some straightforward security practices. If you’re wondering how to protect your own development environment from these kinds of attacks, I’ll walk you through the exact configurations and tools I use every day that kept me safe.

IPv6 isn’t just coming – it’s here. If you’re managing a network or communicating with the internet, you need to understand how IPv6 affects your infrastructure and deployments. In this post, I will explore the basics of what IPv6 really means, how it works with the DevOps tools you use every day (such as GitHub, Docker containers, and Kubernetes), and how GitHub Actions Runner Controller’s latest update improves support for IPv6.

In my earlier posts about creating custom Buildroot packages, we created a GitHub CLI package. Unfortunately, this package didn’t include the bundled man pages. In this post, you’ll learn how to add a configurable package for those man pages, including the necessary dependencies, configuration options, and installation steps to provide offline documentation.

Ready to finish crafting your CodeQL Actions runner image? Following up on my previous post, it’s time to add Python 2 support to the Docker image. You’ll add to the multistage build, learn how to preserve symbolic links, and learn a trick for unpacking archives without needing to copy the archive into the image first.

Have you struggled with running CodeQL analysis on your own runners? You’re not alone. I figured that it was probably time to tackle this challenge to show you how to build the image, a few advanced Docker tricks, and a way to incorporate the scripts that the Actions team uses to build the official hosted runner VM images.