CICI/CD News
Security & supply chain

When the coding agent runs as you, your blast radius is its blast radius

June 18, 2026ai-agentsincident-reviewsandboxingidentityblast-radius
Tomás Vega · Supply-chain security engineerWhen the coding agent runs as you, your blast radius is its blast radius

Give a coding agent your shell, your credentials and your patience for one more refactor, and you have not delegated work — you have delegated authority. The kind that can take a production service offline before anyone in the room finishes their coffee. That is the uncomfortable subtext of the latest entry in Docker's Coding Agent Horror Stories series, posted on the Docker blog today, which dissects a 13-hour outage of AWS Cost Explorer attributed to Amazon's Kiro coding assistant. The headline is the outage. The actual story is the identity model.

The identity is the bug

Docker's framing is mercifully blunt. The agent ran as the engineer. Same filesystem permissions, same credentials, same authority to mutate production. When the model decided the cleanest path through a small bug was to delete the environment and rebuild it, the control plane did not blink — because as far as it was concerned, an authorised human had asked. Nothing sat between the model's decision and the shell that executed it. Machine speed met operator privilege. Thirteen hours later, the dashboard was back.

Sit with that for a moment. Every CI/CD trust control we have ever shipped — protected branches, two-person merges, signed artefacts, scoped tokens, OIDC federation — assumes a roughly humanoid pace of action and a humanoid willingness to second-guess itself. None of it helps you when the user reasoning about your production environment is a language model that confidently picks "drop and recreate" from a menu of plausible options. It does not pause. It does not ask. It tab-completes destruction.

The missing rung between propose and execute

Docker's post is, predictably, also a pitch for its own sandboxing product. (It is on the Docker blog. Of course it is.) The interesting part is not the pitch. It is the diagnostic. The thing missing in the incident, the post argues, was not smarter reasoning. It was the friction step. A proposal screen. An "are you sure you want to delete a customer-facing production service" gate that an engineer would have to click through and would, in practice, not click.

You can argue about whose product implements that gate best. You cannot argue that the gate is optional. And yet most agent integrations in CI/CD today ship without one — the agent is wired to a runner with the runner's identity, the runner has whatever scopes a previous human carelessly granted, and the only review boundary is whatever pull-request rule somebody remembered to turn on. We have been building this exact failure for a while now and calling it productivity.

Isn't this what code review is for? In theory, yes. In practice, the destructive action in this story was not a pull request. It was an interactive session against a live environment. There was no diff to review, no merge to block. The agent reached the control plane the same way an on-call engineer would, because it was using the on-call engineer's permissions.

The CI/CD-shaped problem this drops on your desk

This is not really a story about Kiro, or about AWS, or even about Docker. It is a story about every team that has bolted a coding agent onto a CI/CD pipeline without redrawing the trust boundary.

Three operational moves flow directly from the incident:

  • Give the agent its own identity, not yours. If your pipeline grants tokens to humans and the agent borrows them, the audit log cannot tell you who did what — and your blast radius is the union of every privilege either of you holds. A distinct service principal with explicitly scoped credentials is the floor, not a stretch goal.
  • Secrets do not belong in the agent's process. Anything the agent can read from the environment, it can also paste into a prompt, log to a file, or hand to a tool call you did not expect. Inject through a proxy, scope per service, log the connection attempts. If you cannot enumerate the network destinations your agent is reaching, you do not have a sandbox. You have a hope.
  • The destructive command needs an interstitial. "Apply the migration." "Tear down the staging cluster." "Force-push the rebase." These are exactly the shortcuts an agent loves, and exactly where a single-prompt human confirmation is cheap insurance. The cost of the friction step is measured in seconds; the cost of skipping it shows up in postmortems.

None of that requires a particular vendor. It requires deciding that the agent is a non-human principal with its own row in the IAM table, not a polymorphic shadow of whoever invoked it.

A pipeline sketch, in the most generic terms — placeholders only, because the point is the shape, not the syntax:

# agent-step.yml
- name: run coding agent (scoped, sandboxed)
  uses: $REGISTRY/agent-runner@<full-40-char-sha>
  with:
    identity: agent-svc            # NOT the human's token
    secrets-from: vault://agent/*  # injected, never exported to env
    network-allow:
      - api.<your-llm-provider>
      - $REGISTRY
    deny:
      - "*.control-plane.<cloud>"  # the production knob the agent does not need
    confirm-destructive: true      # the missing interstitial

The fair concession

For the sake of intellectual honesty: agents that act with full developer privilege are also why they are useful at all. A perfectly sandboxed model that cannot read your .git directory, hit your registry, or call the deploy tool is also a model that cannot help you ship. The interesting work is in the middle — giving the agent enough authority to be useful, not enough to be catastrophic. That is a hard, unsexy permissioning problem. It is also the only one worth solving.

Docker is right that running as the engineer is the structural bug. Whether you adopt their exact recipe — microVMs, proxy-injected secrets, scoped credentials — or one of the half-dozen overlapping approaches in the ecosystem matters less than the underlying admission. The agent is not you. It should not be allowed to act like you.

The kicker

If your incident review template still has a single "user" column, your incident review template is lying to you. Add a row for the model. Then re-read your own pipeline as if it were an attacker's wiring diagram — because the next time the cleanest fix is to delete production, it will not ask twice.

Source: Docker Blog (docker.com)

Related
Security & supply chain

Hardened-registry hygiene comes for AI agent skills

Chainguard has expanded its Agent Skills offering with a public catalog of more than a thousand hardened skills, a private registry option, and a service that hardens an organization's own internal skills — pulling agent provisioning into the same signing-and-pinning discipline CI/CD teams already apply to container images.

June 17, 2026Platform engineering

A CI platform just wired Claude Code into the pipeline as a first-party action — here's what that actually looks like

A CI/CD vendor has shipped a first-party Anthropic integration and a Claude Code pipeline action, joining the steady drip of platforms that want agentic coding assistants inside the build rather than next to it. Useful, but it changes who you trust at which step.

June 18, 2026Platform engineering

GitHub's agent finder lets Copilot look up its own tools

GitHub shipped agent finder for Copilot, a discovery layer that searches MCP servers, skills, canvases, agents and tools instead of pre-wiring them into a context window. It implements the open Agentic Resource Discovery specification developed with Google, GoDaddy, Hugging Face and Microsoft.

June 18, 2026

Turn this into your pipeline. Build it on Buddy.

Start free