DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
Jenkins + Maven Integration Security
Jenkins is still the most common Maven build driver in enterprise Java shops. It is also where most supply chain incidents start. Here is what to change before it becomes your problem.
Please Build System Security Review
A hands-on security review of Please, the open-source Bazel-inspired build system, including sandbox behavior, BUILD rules, and supply chain trade-offs.
Azure Bicep vs ARM: Security Comparison
Bicep and ARM templates produce the same deployments, but their security properties diverge — in module provenance, what-if analysis, registry trust, and review experience.
Spinnaker Deployment Security Patterns
Practical security patterns for Spinnaker deployments: account isolation, pipeline template governance, artifact binding, and the CVE history behind the current authentication defaults.
Security Data Lake Architecture for Supply Chain Intelligence
A security data lake aggregates SBOMs, vulnerability data, build provenance, and runtime signals into a queryable store. This architecture enables the cross-cutting analysis that siloed tools cannot provide.
SecDevOps vs DevSecOps: Is There Actually a Difference?
The SecDevOps definition and the DevSecOps definition describe nearly identical practices, but the word order isn't purely cosmetic, it signals a real difference in where security sits in the pipeline.
NuGet Private Feed Security Hardening
Private NuGet feeds sit in the blind spot of most security programs. The hardening work is not glamorous but the failure modes are expensive.
npm Token Rotation: An Enterprise Strategy
Rotating a few npm tokens is easy. Rotating a few thousand across a shared CI fleet is a project. A practical strategy that survives real organizations.
Drone CI Security Considerations
A security-focused look at Drone CI: runner isolation, secret handling, plugin risks, and the differences between Drone OSS, Enterprise, and the Harness transition.
Nix Reproducible Builds: A Supply Chain Case
Practical supply chain lessons from running Nix and Nix flakes in production, including flake.lock handling, content-addressed derivations, and cachix trust.
Semgrep vs CodeQL: SAST Comparison
Compare Semgrep and CodeQL on rule authoring, language coverage, taint analysis, scan time, IDE integration, and pricing to choose the right SAST engine in 2024.
Code Repository Security Hardening
Your source code repository is the starting point of your entire supply chain. Hardening it against unauthorized access, code injection, and configuration tampering is non-negotiable.