DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
AWS CodeBuild Supply Chain Hardening Guide
CodeBuild projects are where most AWS supply chain compromises end up executing. Here is a practical hardening guide built from years of incident response, with specific buildspec controls and IAM patterns.
What Is DevSecOps? Explained in Plain Terms
A plain-terms answer to devsecops o que e, the Portuguese-language version of 'what is DevSecOps,' with the same explanation that applies regardless of what language you searched in.
1Password Secrets Automation in CI
1Password has quietly become a credible secrets backend for CI/CD. A walkthrough of Connect, Service Accounts, and the CLI patterns that make 1Password Secrets Automation work in a build pipeline.
Azure DevOps YAML Pipeline Hardening
A practical, line-by-line walk through hardening Azure DevOps YAML pipelines — template injection, task version pinning, approvals, and the defaults that will bite you.
Container Security Scanning in 2024: Benchmarks, Tools, and What Actually Matters
Container image scanning tools vary widely in detection rates, false positive rates, and coverage. Here is a practical assessment of the container security scanning landscape in 2024.
Migrating Jenkins to GitHub Actions: Security
A case study in moving a sprawling Jenkins estate to GitHub Actions without losing supply chain visibility, artifact integrity, or developer trust.
Bazel Hermetic Builds: Supply Chain Benefits
How Bazel's hermeticity model reduces supply chain risk, with concrete WORKSPACE and MODULE.bazel examples from real migrations.
Jenkins Pipeline Supply Chain Security
How Jenkins pipelines end up as supply chain attack vectors, covering Groovy sandbox risks, plugin CVEs, credential binding, and practical hardening for Jenkins 2.440+.
Ninja Build Supply Chain Considerations
Ninja is a low-level build tool, not a package manager. That framing matters for understanding its supply chain properties and common misconceptions.
GitHub Advanced Security vs Alternatives, Early 2024
GitHub Advanced Security anchors many AppSec programs in 2024, but Snyk, Semgrep, Endor, and others are credible alternatives. Here is an honest comparison.
What Is SSDLC? The Secure Software Development Lifecycle
SSDLC builds security work into every phase of delivery instead of auditing at the end. Here is what changes at each phase, which frameworks define it, and how to adopt it without stalling releases.
CI/CD Compromise Investigation Steps
A step-by-step investigation playbook for suspected CI/CD pipeline compromise, from runner forensics to secrets rotation.