DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
Makefile Injection Attacks: When Build Automation Becomes a Weapon
Makefiles execute shell commands by design. When those commands incorporate untrusted input, the results are predictably dangerous.
Tekton Pipeline Security Guide
Securing Tekton CI/CD pipelines on Kubernetes with task isolation, supply chain verification, and least-privilege service accounts.
Bandit for Python Security Linting: Getting Real Value From Static Analysis
Bandit scans Python code for security issues. Here is how to configure it so it catches real bugs without burying your team in false positives.
Developer Productivity vs. Security: Finding the Real Balance
The security-productivity tension is real but often exaggerated. Most friction comes from bad tooling and poor processes, not from security itself. Here is how to fix the actual problems.
GoSec Static Analysis for Go: Practical Security Scanning
GoSec finds security issues in Go source code. Here is how to get the most out of it without fighting false positives all day.
Canary Deployments and Security Monitoring
Using canary deployment strategies to catch security regressions before they reach all users, with monitoring patterns for security-relevant metrics.
Build Artifact Integrity Verification: From Source to Deployment
If you cannot verify that your deployed artifact matches your reviewed source code, your entire code review process is security theater. Here is how to close that gap.
Securing GitHub Actions: Hardening Your CI/CD Supply Chain
GitHub Actions is a powerful CI/CD platform — and a significant attack surface. Here's how to lock it down against supply chain threats.
Docker Security Best Practices for Developers
Practical Docker security from image building to runtime, covering multi-stage builds, user namespaces, and image scanning.
Reproducible Builds: The Gold Standard for Supply Chain Integrity
If you can't rebuild a binary from source and get the same result, you can't verify that the binary matches the source. Reproducible builds close this fundamental trust gap.
Zero Trust Architecture for the Software Supply Chain
Zero trust isn't just for networks. Applying zero trust principles to your software supply chain fundamentally changes how you manage dependency risk.
VEX Explained: How Vulnerability Exploitability Exchange Cuts Through Alert Noise
VEX documents let software producers tell consumers which vulnerabilities actually affect their products. Here's how VEX works and why it matters.