Safeguard
Topic

DevSecOps

In-depth guides and analysis on devsecops from the Safeguard engineering team.

378 articles

DevSecOps

Writing Rego policies for Kubernetes admission control and CI gates

Open Policy Agent graduated CNCF on Jan 29, 2021 — yet most teams still ship Rego with no default-deny, turning a policy gate into a rubber stamp.

Jul 11, 20268 min read
DevSecOps

Hardening a Java build pipeline in GitHub Actions

23,000+ repos leaked CI secrets when tj-actions/changed-files was hijacked in March 2025. Here's how to pin, OIDC, and sign a Java pipeline against that.

Jul 11, 20266 min read
DevSecOps

Where Security Gates Belong in Your CI/CD Pipeline

23.8 million secrets leaked on public GitHub in 2024 alone. The fix isn't more scanners — it's putting the right gate at the right stage and tuning out the noise.

Jul 11, 20267 min read
DevSecOps

Embedding security-by-design into DevSecOps risk management across the SDLC

NIST's SSDF turns 'shift left' into eleven concrete practices — but a framework on paper doesn't stop a bad merge. Here's how to make it enforceable.

Jul 10, 20267 min read
DevSecOps

Credential rotation playbook after npm worm exposure

A step-by-step rotation runbook for security teams exposed to the Shai-Hulud npm worm — what to revoke first, how to verify a credential is dead, and how to prevent a repeat.

Jul 9, 20266 min read
DevSecOps

Why developers stop trusting AI-generated vulnerability fixes

Trust in AI-generated code fell to 29% in 2025, yet 84% of developers keep using it anyway — the gap is a UX problem, not a model problem.

Jul 9, 20267 min read
DevSecOps

A reference architecture for automating security gates in CI/CD

29M hardcoded secrets leaked in 2025 alone. Here's a gate architecture — SAST, SCA, secrets, IaC — that catches that without adding a day to your release cycle.

Jul 9, 20267 min read
DevSecOps

The DevSecOps metrics that actually indicate program maturity

CISA's KEV directive now demands 3-day fixes for the riskiest bugs. Here's why raw finding counts are the wrong way to measure a DevSecOps program.

Jul 9, 20267 min read
DevSecOps

Hardening CI/CD Against a Compromised Upstream Registry

The Sept 2025 npm attack hit packages with 2B weekly downloads in 2 hours. Pinning, lockfile checks, and mirrors would have stopped it cold.

Jul 9, 20265 min read
DevSecOps

DevSecOps Metrics and KPIs That Actually Prove Progress

Most security dashboards count findings and prove nothing. A 2026 guide to the DevSecOps metrics and KPIs that show real risk reduction — MTTR, escape rate, coverage, and DORA-aligned measures.

Jul 8, 20265 min read
DevSecOps

Measuring AppSec ROI: Metrics That Prove Your Program Works

You cannot fund an application security program on fear forever. Here is how to measure AppSec ROI with metrics executives believe — cost avoided, MTTR, and the leading indicators that predict both.

Jul 8, 20266 min read
DevSecOps

The AppSec Program Spring-Cleaning Checklist

The xz-utils backdoor sat in a maintainer's commits for over two years before a Postgres developer's slow SSH login exposed it in March 2024. Most AppSec programs never audit for that kind of drift.

Jul 8, 20266 min read
DevSecOps (Page 2) — Supply Chain Security Blog | Safeguard