Safeguard
Topic

DevSecOps

In-depth guides and analysis on devsecops from the Safeguard engineering team.

378 articles

DevSecOps

What is Code Signing

Code signing proves who published software and that it wasn't tampered with — but SolarWinds, CCleaner, and 3CX show signed doesn't mean safe.

Mar 6, 20266 min read
DevSecOps

Metrics Developers Care About: Secure By Default

Most security metrics are built for the security team. A guide to picking metrics that developers will actually act on, with examples from secure-by-default workflows.

Mar 5, 20268 min read
DevSecOps

Reachability As The Bridge Between SCA And Fix PRs

SCA tools find vulnerabilities. Auto-fix tools generate PRs. The gap between them is where most programs lose efficiency. Reachability is the bridge.

Mar 5, 20263 min read
DevSecOps

Free Online Code Checkers: What They Actually Catch

An online python code checker or a free JS linter will catch syntax errors and style issues fast, but here is exactly where that coverage ends and real security scanning has to start.

Mar 5, 20266 min read
DevSecOps

DevSecOps Consulting: When It's Actually Worth Hiring Out

A practical test for when DevSecOps consulting pays for itself versus when it just delays building internal capability, with the questions to ask before signing a statement of work.

Mar 5, 20265 min read
DevSecOps

DevSecOps Practices That Actually Stick on a Real Team

Most DevSecOps practices fail within a quarter because they add friction without removing any. Here is what actually holds up on a real engineering team.

Mar 4, 20265 min read
DevSecOps

JFrog Xray Deployment Blueprint 2026

A pragmatic blueprint for deploying JFrog Xray in 2026: indexing strategy, watch policies, build promotion gates, and the operational pitfalls to avoid.

Mar 2, 20265 min read
DevSecOps

CloudFormation, Bicep, Terraform Supply Chain Evidence

IaC frameworks differ in how they generate supply chain evidence. This is the 2026 guide to audit-ready proof from CloudFormation, Bicep, and Terraform.

Mar 1, 20268 min read
DevSecOps

Pre-Commit Hooks For Secure Supply Chain Default

Pre-commit hooks are the cheapest place to enforce supply chain hygiene. A practical guide to designing hooks developers leave installed.

Feb 28, 20268 min read
DevSecOps

Cosign Keyless Signing Workflows in 2026

How keyless signing has matured: OIDC identities, transparency log dependencies, attestation patterns, and the operational details teams still get wrong.

Feb 26, 20266 min read
DevSecOps

Dependency Update Triage Strategy for Eng Teams

An update PR is not a security finding. Here is a triage model that keeps reachability, risk, and engineering effort in the right conversation.

Feb 26, 20267 min read
DevSecOps

GitOps

What is GitOps? A clear definition of the Git-driven deployment model, how it differs from DevOps, and what its security model protects against.

Feb 24, 20268 min read
DevSecOps (Page 13) — Supply Chain Security Blog | Safeguard