DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
Writing Rego policies for Kubernetes admission control and CI gates
Open Policy Agent graduated CNCF on Jan 29, 2021 — yet most teams still ship Rego with no default-deny, turning a policy gate into a rubber stamp.
Hardening a Java build pipeline in GitHub Actions
23,000+ repos leaked CI secrets when tj-actions/changed-files was hijacked in March 2025. Here's how to pin, OIDC, and sign a Java pipeline against that.
Where Security Gates Belong in Your CI/CD Pipeline
23.8 million secrets leaked on public GitHub in 2024 alone. The fix isn't more scanners — it's putting the right gate at the right stage and tuning out the noise.
Embedding security-by-design into DevSecOps risk management across the SDLC
NIST's SSDF turns 'shift left' into eleven concrete practices — but a framework on paper doesn't stop a bad merge. Here's how to make it enforceable.
Credential rotation playbook after npm worm exposure
A step-by-step rotation runbook for security teams exposed to the Shai-Hulud npm worm — what to revoke first, how to verify a credential is dead, and how to prevent a repeat.
Why developers stop trusting AI-generated vulnerability fixes
Trust in AI-generated code fell to 29% in 2025, yet 84% of developers keep using it anyway — the gap is a UX problem, not a model problem.
A reference architecture for automating security gates in CI/CD
29M hardcoded secrets leaked in 2025 alone. Here's a gate architecture — SAST, SCA, secrets, IaC — that catches that without adding a day to your release cycle.
The DevSecOps metrics that actually indicate program maturity
CISA's KEV directive now demands 3-day fixes for the riskiest bugs. Here's why raw finding counts are the wrong way to measure a DevSecOps program.
Hardening CI/CD Against a Compromised Upstream Registry
The Sept 2025 npm attack hit packages with 2B weekly downloads in 2 hours. Pinning, lockfile checks, and mirrors would have stopped it cold.
DevSecOps Metrics and KPIs That Actually Prove Progress
Most security dashboards count findings and prove nothing. A 2026 guide to the DevSecOps metrics and KPIs that show real risk reduction — MTTR, escape rate, coverage, and DORA-aligned measures.
Measuring AppSec ROI: Metrics That Prove Your Program Works
You cannot fund an application security program on fear forever. Here is how to measure AppSec ROI with metrics executives believe — cost avoided, MTTR, and the leading indicators that predict both.
The AppSec Program Spring-Cleaning Checklist
The xz-utils backdoor sat in a maintainer's commits for over two years before a Postgres developer's slow SSH login exposed it in March 2024. Most AppSec programs never audit for that kind of drift.