Safeguard
Topic

DevSecOps

In-depth guides and analysis on devsecops from the Safeguard engineering team.

378 articles

DevSecOps

How to Test Your Signing Pipeline End to End

Build a repeatable end-to-end test harness for your signing pipeline that proves artifacts are signed correctly and that verification fails when tampered.

Apr 10, 20256 min read
DevSecOps

GitLab CI/CD Security Hardening for 2025

A practical hardening playbook for GitLab 17.8 covering runner isolation, OIDC federation, CI variable scoping, and protected branch enforcement.

Feb 20, 20255 min read
DevSecOps

Reproducible Builds Debian: The Long View

Debian's Reproducible Builds project has been at it for over a decade. Here's what they've learned, what still isn't reproducible, and why it matters.

Dec 20, 20248 min read
DevSecOps

Turborepo Monorepo Supply Chain Security

Turborepo makes large JavaScript monorepos fast, and speed changes how teams think about dependencies. The supply chain implications are subtle enough that a fast-moving team can be in trouble before anyone notices.

Dec 10, 20248 min read
DevSecOps

Hardening GitLab vs GitHub Default Settings

GitLab and GitHub both ship with defaults that prioritize usability. A head-to-head on the specific hardening steps each platform needs before it is safe for enterprise use.

Dec 5, 20246 min read
DevSecOps

Woodpecker CI Security Review

A security review of Woodpecker CI, the community fork of Drone: runner isolation, secret handling, plugin ecosystem, and the trade-offs of running a self-hosted lightweight CI.

Dec 2, 20248 min read
DevSecOps

Go Build Cache Poisoning Risks

The Go build cache makes builds fast and reproducible, but a poisoned cache can reuse malicious compiled output indefinitely while the source looks clean.

Nov 28, 20247 min read
DevSecOps

GCP Terraform Provider Security Review

A security-focused review of the Google Terraform providers: provenance, authentication paths, state handling, and the misconfigurations that consistently produce incidents across the Google and Google-Beta provider ecosystem.

Nov 18, 20247 min read
DevSecOps

Signing Python Wheels in Production

PyPI supports attestations now. Here is how to actually sign Python wheels in a CI pipeline, verify them at install time, and deal with the rough edges.

Nov 12, 20246 min read
DevSecOps

Concourse CI Supply Chain Hardening

A practical hardening guide for Concourse CI: resource type trust, worker isolation, team-level RBAC, and the var source security that underpins the platform's multi-tenancy model.

Nov 8, 20248 min read
DevSecOps

Earthly Containerized Builds Supply Chain

Earthly combines container isolation with Makefile-style ergonomics. Here's what that means for supply chain posture, with real Earthfile examples.

Nov 8, 20247 min read
DevSecOps

age + SOPS: A Git-Native Secrets Workflow

How age and SOPS together deliver a lightweight, auditable, Git-native secrets workflow that stands up to real production use without a vault server.

Oct 28, 20247 min read
DevSecOps (Page 21) — Supply Chain Security Blog | Safeguard