Safeguard
Topic

DevSecOps

In-depth guides and analysis on devsecops from the Safeguard engineering team.

378 articles

DevSecOps

Dagger CI/CD Security Benefits

How Dagger's containerized pipeline model improves CI/CD security with hermetic builds, portability, and reduced platform dependency.

Oct 28, 20236 min read
DevSecOps

Building a DevSecOps Culture: Beyond Tools and into Teams

DevSecOps is a culture shift, not a tooling decision. Practical strategies for building security into development teams without creating friction or resentment.

Oct 25, 20236 min read
DevSecOps

How to Enable Dependency Review on GitHub PRs

A step-by-step tutorial for turning on GitHub Dependency Review, enforcing license and severity policies, and getting fast feedback on every pull request.

Oct 12, 20236 min read
DevSecOps

SBOM Tooling Landscape in 2023: What Actually Works

The SBOM tooling ecosystem has matured significantly, but choosing the right tools still requires understanding the tradeoffs between formats, generators, and analysis platforms.

Sep 15, 20235 min read
DevSecOps

GitHub Packages Security Features: What You Get and What You Do Not

GitHub Packages integrates tightly with GitHub Actions and repositories. Its security features are convenient but have gaps that teams need to understand.

Sep 12, 20236 min read
DevSecOps

Bitbucket Pipelines Security Guide

Securing Bitbucket Pipelines with secure variables, deployment permissions, and pipeline hardening.

Aug 25, 20234 min read
DevSecOps

Runtime SBOM vs. Build-Time SBOM: Which Do You Actually Need?

Build-time SBOMs capture what goes into your software; runtime SBOMs capture what actually runs. Understanding the difference is critical for accurate vulnerability management.

Aug 25, 20235 min read
DevSecOps

DevSecOps Toolchain Integration Patterns That Actually Work

Most DevSecOps tool integrations fail because they are bolted on rather than designed in. Here are integration patterns that provide security value without breaking the developer experience.

Aug 18, 20236 min read
DevSecOps

GitHub Dependabot and the State of Automated Dependency Security

Dependabot has become the default for dependency updates, but its limitations highlight why automated scanning alone isn't enough for supply chain security.

Aug 15, 20235 min read
DevSecOps

Game Day Exercises for Supply Chain Incidents: Practicing Before the Real Thing

Game day exercises simulate supply chain attacks and failures, testing your team's response procedures before a real incident hits. Here is how to plan and run effective supply chain game days.

Aug 5, 20235 min read
DevSecOps

Kotlin detekt Security Rules: Catching Vulnerabilities in Kotlin Code

detekt is Kotlin's primary static analysis tool. Its security-relevant rules catch patterns that lead to vulnerabilities in Android and server-side Kotlin.

Jul 28, 20235 min read
DevSecOps

Security Challenges in Polyglot Repositories

Repositories containing multiple programming languages multiply the security tooling, configuration, and expertise required. These challenges are manageable with the right approach.

Jul 22, 20236 min read
DevSecOps (Page 27) — Supply Chain Security Blog | Safeguard