DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
Secrets sprawl
What is secrets sprawl? A plain-English breakdown of how API keys and credentials scatter across codebases, and what to do about it.
Dependabot vs. Renovate: Operational Experience
Both tools open the same kind of PR. The differences that matter at scale show up in configuration, grouping, platform support, and what happens when something breaks.
How to set up SAST scanning in a GitHub Actions pipeline
A step-by-step guide to setting up SAST scanning in GitHub Actions with CodeQL and Semgrep, including config, gating, and troubleshooting tips.
CI/CD Security Tools, Organized by Pipeline Stage
A stage-by-stage map of CI/CD security tools — from pre-commit hooks to runtime protection — so you know which control belongs where instead of bolting everything onto one gate.
How to set up DAST scanning in a CI/CD pipeline
A practical guide to building a DAST scanning CI/CD pipeline with OWASP ZAP — setup, integration, rule tuning, and troubleshooting for real deployments.
The DevSecOps Metrics That Actually Predict Breaches
Finding counts and scan totals are vanity metrics. The numbers that correlate with real incidents measure exposure time, coverage gaps, and gate bypasses.
Supply Chain Security KPIs for Engineering Leaders
If you cannot measure your supply chain security posture, you cannot invest in it. Here are the KPIs that separate real programs from the theater.
DevOps Metrics That Security Teams Should Watch Too
Deploy frequency and lead time aren't just engineering KPIs — read alongside vulnerability data, they tell security teams exactly where risk is accumulating.
How to set up a CI/CD pipeline security gate
A practical, step-by-step guide to building a CI/CD pipeline security gate that scans, enforces vulnerability thresholds, and blocks risky builds without slowing developers down.
How to secure Jenkins pipelines
A step-by-step guide to secure Jenkins pipelines: hardening the controller, fixing credentials management, RBAC setup, agent isolation, and supply chain verification.
Reproducible Builds: Why Bother in 2026?
Reproducible builds used to feel academic. After a decade of supply chain attacks, they are the shortest path from an SBOM to a verifiable artifact. Here is the case.
What is a Monorepo
A monorepo houses many projects in one repository. Learn how Google, Meta, and Microsoft use them, and the blast-radius risks security teams must manage.