DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
Security Champions Program For Shift-Left 2026
Security champions are the human layer that makes shift-left work. A 2026 program design for selecting, training, and retaining champions in engineering.
GitHub Actions Supply Chain Hardening Checklist 2026
A pragmatic 2026 hardening checklist for GitHub Actions: OIDC, pinned actions, environment protection, reusable workflows, and the controls that actually move risk.
Cloud IAM And Supply Chain Overlap Mistakes
Cloud IAM and supply chain controls overlap in ways that confuse most teams. These are the 2026 mistakes that turn IAM gaps into supply chain incidents.
GitHub Codespaces and Supply Chain Risk in 2026
Codespaces shifts development from the laptop to the cloud, which changes the supply chain threat model in ways most teams have not fully thought through.
Developer Onboarding Supply Chain Controls Template
The first week is when developers form their habits. A template for onboarding new engineers into supply chain controls without overwhelming them.
What is CI/CD Pipeline Security
CI/CD pipeline security explained: how SolarWinds, Codecov, CircleCI, and tj-actions were breached, and concrete steps to lock down your build pipeline.
What is Continuous Security
Continuous security scans code, dependencies, containers, and infra on every commit — not once a quarter. Here's how it works and why it replaced periodic audits.
What is Shift Left Testing
Shift left testing moves security checks from a pre-release gate into commit, PR, and build time. Here's how it works, what it costs to skip, and its pitfalls.
What is Security as Code
Security as code turns policies and controls into version-controlled, pipeline-enforced rules. Here's what it looks like, why it matters, and how to adopt it.
What is CI/CD Pipeline Poisoning
CI/CD pipeline poisoning lets attackers hijack your build automation to steal secrets and plant backdoors. Here's how it works and how to stop it.
What is Artifact Signing
Artifact signing cryptographically verifies who built a software artifact and that it hasn't been tampered with — here's how it works and why it stops supply chain attacks.
Cloud Marketplace Listings Supply Chain Due Diligence
AWS, Azure, and GCP marketplaces ship software into your account in minutes. The due diligence has not kept pace. This is the 2026 buyer's checklist.