Safeguard
Topic

DevSecOps

In-depth guides and analysis on devsecops from the Safeguard engineering team.

378 articles

DevSecOps

Security Champions Program For Shift-Left 2026

Security champions are the human layer that makes shift-left work. A 2026 program design for selecting, training, and retaining champions in engineering.

Mar 15, 20268 min read
DevSecOps

GitHub Actions Supply Chain Hardening Checklist 2026

A pragmatic 2026 hardening checklist for GitHub Actions: OIDC, pinned actions, environment protection, reusable workflows, and the controls that actually move risk.

Mar 12, 20265 min read
DevSecOps

Cloud IAM And Supply Chain Overlap Mistakes

Cloud IAM and supply chain controls overlap in ways that confuse most teams. These are the 2026 mistakes that turn IAM gaps into supply chain incidents.

Mar 11, 20268 min read
DevSecOps

GitHub Codespaces and Supply Chain Risk in 2026

Codespaces shifts development from the laptop to the cloud, which changes the supply chain threat model in ways most teams have not fully thought through.

Mar 11, 20266 min read
DevSecOps

Developer Onboarding Supply Chain Controls Template

The first week is when developers form their habits. A template for onboarding new engineers into supply chain controls without overwhelming them.

Mar 10, 20268 min read
DevSecOps

What is CI/CD Pipeline Security

CI/CD pipeline security explained: how SolarWinds, Codecov, CircleCI, and tj-actions were breached, and concrete steps to lock down your build pipeline.

Mar 8, 20266 min read
DevSecOps

What is Continuous Security

Continuous security scans code, dependencies, containers, and infra on every commit — not once a quarter. Here's how it works and why it replaced periodic audits.

Mar 8, 20266 min read
DevSecOps

What is Shift Left Testing

Shift left testing moves security checks from a pre-release gate into commit, PR, and build time. Here's how it works, what it costs to skip, and its pitfalls.

Mar 7, 20267 min read
DevSecOps

What is Security as Code

Security as code turns policies and controls into version-controlled, pipeline-enforced rules. Here's what it looks like, why it matters, and how to adopt it.

Mar 7, 20267 min read
DevSecOps

What is CI/CD Pipeline Poisoning

CI/CD pipeline poisoning lets attackers hijack your build automation to steal secrets and plant backdoors. Here's how it works and how to stop it.

Mar 7, 20267 min read
DevSecOps

What is Artifact Signing

Artifact signing cryptographically verifies who built a software artifact and that it hasn't been tampered with — here's how it works and why it stops supply chain attacks.

Mar 7, 20266 min read
DevSecOps

Cloud Marketplace Listings Supply Chain Due Diligence

AWS, Azure, and GCP marketplaces ship software into your account in minutes. The due diligence has not kept pace. This is the 2026 buyer's checklist.

Mar 6, 20267 min read
DevSecOps (Page 12) — Supply Chain Security Blog | Safeguard