DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
Buildkite Supply Chain Hardening
A practical hardening guide for Buildkite: agent isolation, pipeline upload security, plugin risks, and the agent-token rotation strategy that keeps the trust model intact.
Buck2 (Meta) Build Security Considerations
A security engineer's look at Buck2, Meta's open-source build system, including Starlark sandbox properties, remote execution, and actual supply chain guarantees.
Maven Release Plugin Hardening
The Maven Release Plugin is the oldest piece of release automation most Java shops still run. A look at the hardening steps it usually needs.
go generate Supply Chain Risks
go generate is a seam where arbitrary commands run with the full privileges of the developer, and it does not show up in any manifest of trusted dependencies.
How to Rotate Build Signing Keys Safely
A step-by-step tutorial for rotating Cosign and GPG build signing keys without breaking existing attestations, verification chains, or downstream consumers.
Docker Hub Rate Limit Changes and CI Impact
Docker's 2024 rate-limit reforms hit CI pipelines hard. Measured impact on 30 real build farms and the mirror and pull-through controls that fixed it.
GraphQL Supply Chain Security Considerations
Supply chain risks specific to GraphQL stacks: Apollo, graphql-js, persisted queries, introspection, and transitive risk in gateway federation.
AWS CDK Construct Library Security
CDK constructs are code that provisions infrastructure. Most teams audit the infrastructure but not the constructs. Here is how to think about construct library security and what to check.
Dagger.io Supply Chain Pipelines
Dagger programmatic pipelines offer genuine supply chain benefits when used well. Here are the patterns and pitfalls from running Dagger in production.
GitGuardian vs TruffleHog: Secret Detection Showdown
Compare GitGuardian and TruffleHog on detector coverage, validation, historical scans, developer workflow, and pricing to pick the right secret scanning tool.
How to Validate SLSA Provenance in CI
Generate and validate SLSA v1.0 provenance attestations in GitHub Actions using slsa-verifier, gate releases on builder identity, and prove build integrity.
FluxCD Security Model in Production
A production-focused look at FluxCD's security model, covering multi-tenancy isolation, source verification, image automation risks, and the CVE history behind the current defaults.