DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
What is Code Signing
Code signing proves who published software and that it wasn't tampered with — but SolarWinds, CCleaner, and 3CX show signed doesn't mean safe.
Metrics Developers Care About: Secure By Default
Most security metrics are built for the security team. A guide to picking metrics that developers will actually act on, with examples from secure-by-default workflows.
Reachability As The Bridge Between SCA And Fix PRs
SCA tools find vulnerabilities. Auto-fix tools generate PRs. The gap between them is where most programs lose efficiency. Reachability is the bridge.
Free Online Code Checkers: What They Actually Catch
An online python code checker or a free JS linter will catch syntax errors and style issues fast, but here is exactly where that coverage ends and real security scanning has to start.
DevSecOps Consulting: When It's Actually Worth Hiring Out
A practical test for when DevSecOps consulting pays for itself versus when it just delays building internal capability, with the questions to ask before signing a statement of work.
DevSecOps Practices That Actually Stick on a Real Team
Most DevSecOps practices fail within a quarter because they add friction without removing any. Here is what actually holds up on a real engineering team.
JFrog Xray Deployment Blueprint 2026
A pragmatic blueprint for deploying JFrog Xray in 2026: indexing strategy, watch policies, build promotion gates, and the operational pitfalls to avoid.
CloudFormation, Bicep, Terraform Supply Chain Evidence
IaC frameworks differ in how they generate supply chain evidence. This is the 2026 guide to audit-ready proof from CloudFormation, Bicep, and Terraform.
Pre-Commit Hooks For Secure Supply Chain Default
Pre-commit hooks are the cheapest place to enforce supply chain hygiene. A practical guide to designing hooks developers leave installed.
Cosign Keyless Signing Workflows in 2026
How keyless signing has matured: OIDC identities, transparency log dependencies, attestation patterns, and the operational details teams still get wrong.
Dependency Update Triage Strategy for Eng Teams
An update PR is not a security finding. Here is a triage model that keeps reachability, risk, and engineering effort in the right conversation.
GitOps
What is GitOps? A clear definition of the Git-driven deployment model, how it differs from DevOps, and what its security model protects against.