Safeguard
Topic

DevSecOps

In-depth guides and analysis on devsecops from the Safeguard engineering team.

378 articles

DevSecOps

What Is KICS? Checkmarx's Open Source IaC Scanner Explained

Checkmarx KICS is a free, open source static analysis tool for infrastructure-as-code that scans Terraform, CloudFormation, Kubernetes manifests, and more for misconfigurations before they're ever deployed.

Jan 22, 20265 min read
DevSecOps

Pre-commit Hook Security Gotchas You'll Hit

Pre-commit hooks feel like a free security win until you ship them at scale. Here are the failure modes, trust boundaries, and escape hatches that bite.

Jan 20, 20266 min read
DevSecOps

What is a CI/CD Secrets Leak

A CI/CD secrets leak exposes real credentials through build logs, forks, or compromised Actions. Here's how it happens and how to stop it.

Jan 20, 20267 min read
DevSecOps

From DevOps to DevSecOps: A Practical Shift-Left Guide

Shift-left security doesn't mean dumping security tools on developers. Here's a practical guide to integrating security into your development workflow without killing velocity.

Jan 20, 20263 min read
DevSecOps

Securing AWS CodePipeline and CodeBuild against supply ch...

CodePipeline and CodeBuild sit where code, secrets, and compute converge unattended — here's where supply chain attacks actually enter and how to close the gaps.

Jan 20, 20267 min read
DevSecOps

Secrets Management in CI Pipelines: 2026 Guide

Rotating tokens, OIDC federation, and scoped runners are table stakes in 2026. Here is how senior engineers design CI secrets that do not leak on bad days.

Jan 16, 20267 min read
DevSecOps

Securing Azure DevOps pipelines against supply chain comp...

Pipelines now hold more privilege than the apps they build. Here's how Azure DevOps pipeline security actually breaks down—and how to close the gaps.

Jan 16, 20267 min read
DevSecOps

Signing container images and generating SBOMs in Azure pi...

A practical walkthrough for Azure container image signing with Notation and ACR content trust, plus generating SBOMs inside Azure DevOps pipelines.

Jan 15, 20267 min read
DevSecOps

Pre-Commit Hooks Security Recipes for 2026

Practical pre-commit framework recipes that catch secrets, malicious packages, and risky changes before they reach your remote, without slowing developers down.

Jan 14, 20266 min read
DevSecOps

Using GCP Workload Identity Federation for keyless CI/CD ...

GCP Workload Identity Federation lets CI/CD pipelines authenticate with short-lived tokens instead of service account keys. Here's how it works and how to migrate.

Jan 12, 20267 min read
DevSecOps

Securing Cloud Build pipelines and generating SLSA proven...

How to secure Cloud Build supply chain security with least-privilege service accounts and SLSA provenance so tampered builds never reach production.

Jan 10, 20267 min read
DevSecOps

Using OCI dynamic groups to authenticate CI/CD pipelines

A practical guide to eliminating static credentials in CI/CD using OCI dynamic groups, matching rules, and OCI DevOps service authentication instead of API keys.

Jan 7, 20268 min read
DevSecOps (Page 16) — Supply Chain Security Blog | Safeguard