Safeguard
Topic

DevSecOps

In-depth guides and analysis on devsecops from the Safeguard engineering team.

378 articles

DevSecOps

Buildkite Supply Chain Hardening

A practical hardening guide for Buildkite: agent isolation, pipeline upload security, plugin risks, and the agent-token rotation strategy that keeps the trust model intact.

Oct 25, 20248 min read
DevSecOps

Buck2 (Meta) Build Security Considerations

A security engineer's look at Buck2, Meta's open-source build system, including Starlark sandbox properties, remote execution, and actual supply chain guarantees.

Oct 22, 20247 min read
DevSecOps

Maven Release Plugin Hardening

The Maven Release Plugin is the oldest piece of release automation most Java shops still run. A look at the hardening steps it usually needs.

Oct 22, 20246 min read
DevSecOps

go generate Supply Chain Risks

go generate is a seam where arbitrary commands run with the full privileges of the developer, and it does not show up in any manifest of trusted dependencies.

Oct 15, 20247 min read
DevSecOps

How to Rotate Build Signing Keys Safely

A step-by-step tutorial for rotating Cosign and GPG build signing keys without breaking existing attestations, verification chains, or downstream consumers.

Oct 8, 20246 min read
DevSecOps

Docker Hub Rate Limit Changes and CI Impact

Docker's 2024 rate-limit reforms hit CI pipelines hard. Measured impact on 30 real build farms and the mirror and pull-through controls that fixed it.

Oct 3, 20245 min read
DevSecOps

GraphQL Supply Chain Security Considerations

Supply chain risks specific to GraphQL stacks: Apollo, graphql-js, persisted queries, introspection, and transitive risk in gateway federation.

Sep 30, 20245 min read
DevSecOps

AWS CDK Construct Library Security

CDK constructs are code that provisions infrastructure. Most teams audit the infrastructure but not the constructs. Here is how to think about construct library security and what to check.

Sep 25, 20247 min read
DevSecOps

Dagger.io Supply Chain Pipelines

Dagger programmatic pipelines offer genuine supply chain benefits when used well. Here are the patterns and pitfalls from running Dagger in production.

Sep 18, 20246 min read
DevSecOps

GitGuardian vs TruffleHog: Secret Detection Showdown

Compare GitGuardian and TruffleHog on detector coverage, validation, historical scans, developer workflow, and pricing to pick the right secret scanning tool.

Sep 18, 20245 min read
DevSecOps

How to Validate SLSA Provenance in CI

Generate and validate SLSA v1.0 provenance attestations in GitHub Actions using slsa-verifier, gate releases on builder identity, and prove build integrity.

Sep 14, 20244 min read
DevSecOps

FluxCD Security Model in Production

A production-focused look at FluxCD's security model, covering multi-tenancy isolation, source verification, image automation risks, and the CVE history behind the current defaults.

Sep 10, 20247 min read
DevSecOps (Page 22) — Supply Chain Security Blog | Safeguard