|
By Dan Grøndahl
Good docs are how developers work with a product, from first look to daily use. That’s been true for a long time, and it’s becoming more true as developers increasingly hand that work to agents on their behalf. During the last quarter, we’ve been migrating docs.kosli.com from a static Hugo site to Mintlify, and now it’s finally live. Early reactions from our customers: “A marked improvement over the old docs in layout and usability.” “Looking sharp!”
|
By Alex Kantor
We’ve built a multi-LLM PR reviewer that runs on every pull request in a couple of our own repos. Two independent models look at each change in parallel, each wearing a set of “persona hats” tuned to a specific area of the codebase. They compare notes, duplicates get stripped out, and the PR author ends up with a single review comment rather than a wall of noise.
|
By Steve Tooke
Kosli gives your organization a complete picture of software delivery - every build, scan, deployment, and compliance event tracked. Until now that picture was most useful to the people managing governance. However, developers shipping code had to ask someone else what versions of their code were running, how long it was taking to get to production, or what their deployment frequency was. Repositories change that.
|
By Bruce Johnston
Today, Kosli and Adaptavist announce a strategic partnership to help regulated enterprises automate governance for AI driven software delivery - making it automated, continuous, and evidence-driven rather than a manual checkpoint that sits apart from DevOps and CI/CD. Adaptavist brings deep enterprise DevOps transformation expertise: assessment and strategy, DevSecOps integration, developer experience, and implementation across Atlassian, GitLab, and AWS.
|
By Steve Tooke
If you’re evaluating compliance controls against your Kosli trail data today, there’s a good chance you’ve written some glue code to make it work. A script that pulls trail data from the API. Another that downloads attestations one by one. Something that mangles the JSON together into a shape that your chosen compliance engine can evaluate. And then that engine itself, whether it’s OPA, a custom Python script, or something else, installed and configured in your pipeline.
|
By Dan Grøndahl
Can you create an audit trail for what your AI agent actually did, and enforce rules about what it was allowed to do? Here’s what I found after spending a session wiring the two tools together.
|
By Mike Long
The modern world runs on mission-critical software. It moves our money, drives our cars, diagnoses our illnesses, and fundamentally improves our lives. But, organizations building this critical software face a paradox: they need to move fast to stay competitive, but they also need rigorous governance to manage risk. This has created a lot of tension in regulated industries.
|
By Dan Grøndahl
We’re excited to announce support of physical environments in the Terraform Provider for Kosli! What’s Included Environment Management: Full lifecycle support for creating, updating, and managing physical environments types: K8S, ECS, S3, docker, server, and lambda. Manage legacy environments as IaC: Import your existing physical environments to have Terraform manage them.
|
By Bruce Johnston
We’re delighted to announce a strategic partnership between Kosli and TeamTopologies - a collaboration that brings together SDLC Governance automation with the world’s leading framework for organizing business and technology for fast flow of value.
|
By Steve Tooke
For anyone shipping software in regulated industries, the word “control” gets thrown around all over. Compliance frameworks demand controls, auditors verify controls are used, engineering teams implement controls, and there are even Control Owners. But what exactly is a control? And more importantly, how do we design controls that actually serve their intended purpose while enabling rather than hindering delivery velocity?
|
By Kosli
AI is moving fast, and it’s tempting to believe it can automate software governance end to end. But compliance and security aren’t probabilistic problems. They don’t accept “close enough.” They don’t accept summaries. They can’t tolerate hallucinations. Governance depends on facts. Irrefutable, provable evidence of how systems actually changed.
|
By Kosli
Most governance models focus on what happens before production. Approvals. Tickets. Change records. But software delivery doesn’t end at deploy. Runtime is where change management is validated. It’s where systems prove whether controls actually work and where risk becomes real. If governance stops at deployment, you’re not managing change. You’re managing intent. In this video, Mike Long (CEO & Co-founder, Kosli) explains why runtime is the true source of control, why approvals alone don’t reduce risk, and how modern teams build governance that reflects reality, not paperwork.
|
By Kosli
In regulated environments, slow change is often blamed on process. In reality, it’s caused by missing, fragmented, or untrusted proof. Screenshots. Tickets. Manual approvals. Evidence assembled after the fact. In this video, we show what changes when compliance policies are embedded directly into release workflows — and when immutable, machine-readable evidence is captured automatically across CI/CD.
|
By Kosli
ServiceNow is the system of record for change and approvals in most regulated enterprises. But when evidence lives elsewhere — scattered across CI tools, scanners, tickets, and screenshots — approvals slow down and audits become painful. Developers waste hours chasing proof. CABs approve changes without confidence. Auditors reconstruct history months later. In this video, Matt Bailey shows what changes when evidence is produced continuously, directly from the delivery pipeline, and linked into ServiceNow workflows.
|
By Kosli
Scan results aren’t the end — they’re the input to the next control. Evidence must be tied to fingerprints so it’s reusable.
|
By Kosli
The industry standard for release control is painfully manual: long-form policy documents, ServiceNow forms, human approvals, meetings, and tickets that take days or even weeks to close. In this video, Mike Long (CEO & Co-founder, Kosli) explains the difference between manual release control and an automated, zero-trust model where evidence is collected automatically, provenance identifies the artifact, and approvals can be fully codified.
|
By Kosli
Evidence isn’t something you produce at the end — it’s something every control generates for the next one. In this video, Mike Long (CEO & Co-founder, Kosli) explains how vulnerability scans produce evidence tied to the artifact fingerprint and the policy file used, and how that evidence becomes an input to downstream controls like release approvals. This is the core of reusable, continuous compliance.
|
By Kosli
Evidence only matters if you can trust it. And you can only trust it if the artifact behind that evidence has a verifiable, untamperable origin. In this video, Mike Long (CEO & Co-founder, Kosli) explains why artifact binary provenance is the foundation of trustworthy evidence, and why zero-trust delivery collapses without it. Video Timeline.
|
By Kosli
We're excited to announce an important enhancement to Kosli that will improve how environment compliance is managed across your organization. Starting with our next release, all compliance evaluation for Kosli environments will be consolidated through our powerful Environment Policies feature.
|
By Kosli
How can financial institutions align on software delivery governance without slowing down innovation? At FINOS OSFF New York 2025, Deutsche Bank and Morgan Stanley introduced the new SDLC Governance Working Group — an open collaboration under FINOS to create a Common Controls Catalogue for software delivery. Kosli's Mike Long helped form and participates this group, contributing expertise in continuous compliance automation and controls engineering to connect the engineering and policy communities.
|
By Kosli
Supply chain Levels for Software Artifacts (SLSA) is a security framework that assists in ensuring the integrity of software artifacts throughout the software supply chain. The Open Source Security Foundation (OpenSSF) introduced SLSA in 2021 to protect software from sources through deployment by helping organizations to counter critical threats. SLSA provides a model for improving supply chain security and integrity, and offers guidance for solving issues related to developer or build systems as exploitable security vectors.
- April 2026 (5)
- February 2026 (4)
- January 2026 (7)
- December 2025 (6)
- November 2025 (10)
- October 2025 (2)
- August 2025 (1)
- July 2025 (2)
- June 2025 (6)
- May 2025 (1)
- April 2025 (1)
- March 2025 (2)
- February 2025 (4)
- November 2024 (3)
- October 2024 (3)
- September 2024 (2)
- August 2024 (3)
- July 2024 (1)
- June 2024 (1)
- May 2024 (2)
- April 2024 (2)
- March 2024 (4)
- January 2024 (6)
- December 2023 (5)
- November 2023 (8)
- October 2023 (8)
- September 2023 (3)
- August 2023 (2)
- July 2023 (1)
- June 2023 (4)
- May 2023 (9)
- April 2023 (7)
- December 2022 (8)
- August 2022 (1)
- March 2022 (1)
Deliver secure software changes at scale and deploy to production with speed and compliance.
Kosli records an easily searchable history of all your changes from commit to production, so you can quickly find the change you need. Move beyond GitOps and understand how your pipelines and environments are really changing.Continuous monitoring in your runtimes and pipelines:
- Release software with continuous compliance and zero day audits: Kosli records changes in your environments and pipelines as they happen. Get compliance status in real time and export all the evidence you need for an audit to CSV.
- Track deployments with full cycle security: Kosli connects what’s running in production with what was qualified in your pipelines. Get alerts for undocumented workloads and any deviations from your security policies.
- Pinpoint the exact change you need when you need it: Kosli gives you a searchable database of every change made to your systems. Get the answer you need by asking better questions in the browser or the command line.
- Real-time observability for devs and engineers: Tired of trying to figure out which change broke everything? Need to know where your commit is? Get the ability to see how your environments and pipelines are actually changing and quickly locate the change you need.
Faster changes. Stronger security. Painless audits.