DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
What Is KICS? Checkmarx's Open Source IaC Scanner Explained
Checkmarx KICS is a free, open source static analysis tool for infrastructure-as-code that scans Terraform, CloudFormation, Kubernetes manifests, and more for misconfigurations before they're ever deployed.
Pre-commit Hook Security Gotchas You'll Hit
Pre-commit hooks feel like a free security win until you ship them at scale. Here are the failure modes, trust boundaries, and escape hatches that bite.
What is a CI/CD Secrets Leak
A CI/CD secrets leak exposes real credentials through build logs, forks, or compromised Actions. Here's how it happens and how to stop it.
From DevOps to DevSecOps: A Practical Shift-Left Guide
Shift-left security doesn't mean dumping security tools on developers. Here's a practical guide to integrating security into your development workflow without killing velocity.
Securing AWS CodePipeline and CodeBuild against supply ch...
CodePipeline and CodeBuild sit where code, secrets, and compute converge unattended — here's where supply chain attacks actually enter and how to close the gaps.
Secrets Management in CI Pipelines: 2026 Guide
Rotating tokens, OIDC federation, and scoped runners are table stakes in 2026. Here is how senior engineers design CI secrets that do not leak on bad days.
Securing Azure DevOps pipelines against supply chain comp...
Pipelines now hold more privilege than the apps they build. Here's how Azure DevOps pipeline security actually breaks down—and how to close the gaps.
Signing container images and generating SBOMs in Azure pi...
A practical walkthrough for Azure container image signing with Notation and ACR content trust, plus generating SBOMs inside Azure DevOps pipelines.
Pre-Commit Hooks Security Recipes for 2026
Practical pre-commit framework recipes that catch secrets, malicious packages, and risky changes before they reach your remote, without slowing developers down.
Using GCP Workload Identity Federation for keyless CI/CD ...
GCP Workload Identity Federation lets CI/CD pipelines authenticate with short-lived tokens instead of service account keys. Here's how it works and how to migrate.
Securing Cloud Build pipelines and generating SLSA proven...
How to secure Cloud Build supply chain security with least-privilege service accounts and SLSA provenance so tampered builds never reach production.
Using OCI dynamic groups to authenticate CI/CD pipelines
A practical guide to eliminating static credentials in CI/CD using OCI dynamic groups, matching rules, and OCI DevOps service authentication instead of API keys.