Safeguard
Topic

DevSecOps

In-depth guides and analysis on devsecops from the Safeguard engineering team.

378 articles

DevSecOps

How the Snyk CLI's exit codes are structured for CI/CD fa...

A mechanical look at how the Snyk CLI's 0/1/2/3 exit codes work, how --severity-threshold and --fail-on change them, and how to branch on them correctly in CI/CD.

Aug 15, 20257 min read
DevSecOps

DevOps Research and Assessment (DORA): The Four Metrics Explained

DevOps Research and Assessment (DORA) distilled a decade of research into four metrics that predict software delivery performance — here's what they measure and how security work actually affects them.

Aug 12, 20255 min read
DevSecOps

Why Automated Package Publishing Pipelines Are a Growing ...

From tj-actions to xz utils, attackers are hijacking CI/CD pipelines to poison packages at the source. Here's why publishing pipelines are the new frontline.

Jul 30, 20257 min read
DevSecOps

Continuous Integration Security: A Checklist

Continuous integration security means treating your CI pipeline as a production system, because an attacker who compromises your CI runner can ship malicious code as easily as your own engineers.

Jul 30, 20256 min read
DevSecOps

Shift Left Fatigue: Why Developers Are Pushing Back on Se...

Shift-left security handed developers new duties without removing old ones. Here's why teams are pushing back — and how better tooling fixes the real problem: noise, not ownership.

Jul 19, 20257 min read
DevSecOps

Why Security Training Completion Rates Don't Predict Secu...

Completion rates measure attendance, not behavior. Here's why training checkboxes don't predict secure coding outcomes, and what to measure instead.

Jul 19, 20257 min read
DevSecOps

Friction as a Security Metric: Measuring Tool Adoption Fa...

Security tools fail quietly when developers route around them. Here's how to measure friction as a leading indicator of adoption failure before it causes a breach.

Jul 19, 20258 min read
DevSecOps

The Champion Model: Do Embedded Security Champions Actual...

Security champion programs cut vulnerabilities only under specific conditions. Here's what BSIMM, GitLab, and OWASP data show about when the champion model actually works.

Jul 18, 20257 min read
DevSecOps

Why Security and Engineering KPIs Are Still Misaligned in...

Security teams chase CVSS scores and SLA compliance while engineering chases velocity and uptime—two scorecards that were never built to agree.

Jul 18, 20257 min read
DevSecOps

Policy Bypass Culture: What Happens When Deadlines Beat G...

When deadlines collide with security gates, developers bypass them quietly and often. Here's how policy bypass culture forms, what it costs, and how to stop it.

Jul 18, 20258 min read
DevSecOps

Measuring Developer Security Maturity Beyond Tool Coverage

Tool coverage tells you what's installed, not whether developers are actually getting safer. Here's how to build a maturity model around remediation velocity, recurrence, and secrets hygiene instead.

Jul 18, 20258 min read
DevSecOps

The Hidden Cost of Context Switching Between IDE and Secu...

Jumping between your IDE and security dashboards isn't free. Here's what context switching really costs developers, and how to eliminate it.

Jul 17, 20257 min read
DevSecOps (Page 19) — Supply Chain Security Blog | Safeguard