Safeguard
Topic

DevSecOps

In-depth guides and analysis on devsecops from the Safeguard engineering team.

378 articles

DevSecOps

Secrets sprawl

What is secrets sprawl? A plain-English breakdown of how API keys and credentials scatter across codebases, and what to do about it.

Feb 24, 20267 min read
DevSecOps

Dependabot vs. Renovate: Operational Experience

Both tools open the same kind of PR. The differences that matter at scale show up in configuration, grouping, platform support, and what happens when something breaks.

Feb 20, 20267 min read
DevSecOps

How to set up SAST scanning in a GitHub Actions pipeline

A step-by-step guide to setting up SAST scanning in GitHub Actions with CodeQL and Semgrep, including config, gating, and troubleshooting tips.

Feb 18, 20267 min read
DevSecOps

CI/CD Security Tools, Organized by Pipeline Stage

A stage-by-stage map of CI/CD security tools — from pre-commit hooks to runtime protection — so you know which control belongs where instead of bolting everything onto one gate.

Feb 18, 20266 min read
DevSecOps

How to set up DAST scanning in a CI/CD pipeline

A practical guide to building a DAST scanning CI/CD pipeline with OWASP ZAP — setup, integration, rule tuning, and troubleshooting for real deployments.

Feb 18, 20267 min read
DevSecOps

The DevSecOps Metrics That Actually Predict Breaches

Finding counts and scan totals are vanity metrics. The numbers that correlate with real incidents measure exposure time, coverage gaps, and gate bypasses.

Feb 17, 20266 min read
DevSecOps

Supply Chain Security KPIs for Engineering Leaders

If you cannot measure your supply chain security posture, you cannot invest in it. Here are the KPIs that separate real programs from the theater.

Feb 14, 20267 min read
DevSecOps

DevOps Metrics That Security Teams Should Watch Too

Deploy frequency and lead time aren't just engineering KPIs — read alongside vulnerability data, they tell security teams exactly where risk is accumulating.

Feb 11, 20265 min read
DevSecOps

How to set up a CI/CD pipeline security gate

A practical, step-by-step guide to building a CI/CD pipeline security gate that scans, enforces vulnerability thresholds, and blocks risky builds without slowing developers down.

Feb 11, 20268 min read
DevSecOps

How to secure Jenkins pipelines

A step-by-step guide to secure Jenkins pipelines: hardening the controller, fixing credentials management, RBAC setup, agent isolation, and supply chain verification.

Feb 10, 20268 min read
DevSecOps

Reproducible Builds: Why Bother in 2026?

Reproducible builds used to feel academic. After a decade of supply chain attacks, they are the shortest path from an SBOM to a verifiable artifact. Here is the case.

Feb 10, 20267 min read
DevSecOps

What is a Monorepo

A monorepo houses many projects in one repository. Learn how Google, Meta, and Microsoft use them, and the blast-radius risks security teams must manage.

Feb 7, 20266 min read
DevSecOps (Page 14) — Supply Chain Security Blog | Safeguard