DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
Dagger CI/CD Security Benefits
How Dagger's containerized pipeline model improves CI/CD security with hermetic builds, portability, and reduced platform dependency.
Building a DevSecOps Culture: Beyond Tools and into Teams
DevSecOps is a culture shift, not a tooling decision. Practical strategies for building security into development teams without creating friction or resentment.
How to Enable Dependency Review on GitHub PRs
A step-by-step tutorial for turning on GitHub Dependency Review, enforcing license and severity policies, and getting fast feedback on every pull request.
SBOM Tooling Landscape in 2023: What Actually Works
The SBOM tooling ecosystem has matured significantly, but choosing the right tools still requires understanding the tradeoffs between formats, generators, and analysis platforms.
GitHub Packages Security Features: What You Get and What You Do Not
GitHub Packages integrates tightly with GitHub Actions and repositories. Its security features are convenient but have gaps that teams need to understand.
Bitbucket Pipelines Security Guide
Securing Bitbucket Pipelines with secure variables, deployment permissions, and pipeline hardening.
Runtime SBOM vs. Build-Time SBOM: Which Do You Actually Need?
Build-time SBOMs capture what goes into your software; runtime SBOMs capture what actually runs. Understanding the difference is critical for accurate vulnerability management.
DevSecOps Toolchain Integration Patterns That Actually Work
Most DevSecOps tool integrations fail because they are bolted on rather than designed in. Here are integration patterns that provide security value without breaking the developer experience.
GitHub Dependabot and the State of Automated Dependency Security
Dependabot has become the default for dependency updates, but its limitations highlight why automated scanning alone isn't enough for supply chain security.
Game Day Exercises for Supply Chain Incidents: Practicing Before the Real Thing
Game day exercises simulate supply chain attacks and failures, testing your team's response procedures before a real incident hits. Here is how to plan and run effective supply chain game days.
Kotlin detekt Security Rules: Catching Vulnerabilities in Kotlin Code
detekt is Kotlin's primary static analysis tool. Its security-relevant rules catch patterns that lead to vulnerabilities in Android and server-side Kotlin.
Security Challenges in Polyglot Repositories
Repositories containing multiple programming languages multiply the security tooling, configuration, and expertise required. These challenges are manageable with the right approach.