DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
How to Test Your Signing Pipeline End to End
Build a repeatable end-to-end test harness for your signing pipeline that proves artifacts are signed correctly and that verification fails when tampered.
GitLab CI/CD Security Hardening for 2025
A practical hardening playbook for GitLab 17.8 covering runner isolation, OIDC federation, CI variable scoping, and protected branch enforcement.
Reproducible Builds Debian: The Long View
Debian's Reproducible Builds project has been at it for over a decade. Here's what they've learned, what still isn't reproducible, and why it matters.
Turborepo Monorepo Supply Chain Security
Turborepo makes large JavaScript monorepos fast, and speed changes how teams think about dependencies. The supply chain implications are subtle enough that a fast-moving team can be in trouble before anyone notices.
Hardening GitLab vs GitHub Default Settings
GitLab and GitHub both ship with defaults that prioritize usability. A head-to-head on the specific hardening steps each platform needs before it is safe for enterprise use.
Woodpecker CI Security Review
A security review of Woodpecker CI, the community fork of Drone: runner isolation, secret handling, plugin ecosystem, and the trade-offs of running a self-hosted lightweight CI.
Go Build Cache Poisoning Risks
The Go build cache makes builds fast and reproducible, but a poisoned cache can reuse malicious compiled output indefinitely while the source looks clean.
GCP Terraform Provider Security Review
A security-focused review of the Google Terraform providers: provenance, authentication paths, state handling, and the misconfigurations that consistently produce incidents across the Google and Google-Beta provider ecosystem.
Signing Python Wheels in Production
PyPI supports attestations now. Here is how to actually sign Python wheels in a CI pipeline, verify them at install time, and deal with the rough edges.
Concourse CI Supply Chain Hardening
A practical hardening guide for Concourse CI: resource type trust, worker isolation, team-level RBAC, and the var source security that underpins the platform's multi-tenancy model.
Earthly Containerized Builds Supply Chain
Earthly combines container isolation with Makefile-style ergonomics. Here's what that means for supply chain posture, with real Earthfile examples.
age + SOPS: A Git-Native Secrets Workflow
How age and SOPS together deliver a lightweight, auditable, Git-native secrets workflow that stands up to real production use without a vault server.