DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
The tj-actions/changed-files GitHub Action Supply Chain C...
CVE-2025-30066 exposed how a compromised tj-actions/changed-files GitHub Action leaked CI/CD secrets into build logs across 23,000+ repos. Timeline, impact, and fixes.
Jenkins Stapler Unauthenticated RCE Mass-Exploited for Cr...
CVE-2018-1000861 let attackers hit Jenkins Stapler unauthenticated, planting cryptomining malware on exposed CI/CD build servers across the internet.
Jenkins CLI Java Deserialization Remote Code Execution (C...
CVE-2017-1000353 let attackers gain unauthenticated RCE on Jenkins via CLI Java deserialization. Here's the impact, timeline, and how to remediate it.
Jenkins Remote Code Execution via Groovy Metaclass (CVE-2...
CVE-2016-0792 let attackers bypass Jenkins' deserialization blacklist using Groovy's metaclass to achieve unauthenticated remote code execution via the CLI.
Jenkins CLI Deserialization RCE via Commons-Collections G...
CVE-2015-8103: unauthenticated RCE in Jenkins CLI via a Commons-Collections deserialization gadget chain. Impact, timeline, and remediation.
Jenkins Script Security Sandbox Bypass Leading to RCE (CV...
CVE-2019-1003029 let attackers escape the Jenkins Script Security sandbox and execute arbitrary code via crafted Groovy pipeline scripts.
Jenkins Arbitrary File Read via Crafted CLI Command (CVE-...
CVE-2018-1999002 let attackers read arbitrary files from Jenkins masters via crafted requests to the Stapler framework, exposing secrets and credentials.
TeamCity Authentication Bypass Exploited by Nation-State ...
A critical TeamCity authentication bypass, CVE-2023-42793, let APT29 and North Korean hackers seize build servers for supply chain attacks.
TeamCity Authentication Bypass Enabling Admin Account Cre...
CVE-2024-27198 lets unauthenticated attackers bypass TeamCity login and create admin accounts, with active exploitation and ransomware activity observed.
GitLab Unauthenticated RCE via ExifTool Image Processing ...
CVE-2021-22205 let attackers gain unauthenticated RCE on self-hosted GitLab via ExifTool image parsing. Here's the affected versions, severity, timeline, and fixes.
Argo CD Path Traversal via Malicious Helm Chart values.ya...
CVE-2022-24348 let attackers use a malicious Helm chart to path-traverse Argo CD's repo-server, exposing secrets across GitOps applications. Here's the fix.
Best DevSecOps platforms for shift-left security
A fair, no-hype comparison of DevSecOps platforms — GitLab, GitHub, Snyk, Wiz, JFrog, and Checkmarx — plus what to evaluate for real shift-left security.