Safeguard
Topic

DevSecOps

In-depth guides and analysis on devsecops from the Safeguard engineering team.

378 articles

DevSecOps

GitHub Actions Security Best Practices in 2022

A practical guide to hardening your GitHub Actions workflows against supply chain attacks, secret leaks, and privilege escalation.

Jul 15, 20226 min read
DevSecOps

The GitHub Codespaces Security Model, Examined

GitHub Codespaces has gone GA and is about to become the dev environment standard. Here is a close read of its security model — including what it does not solve.

Jun 22, 20227 min read
DevSecOps

Environment Variable Injection in CI/CD: The Invisible Attack Surface

CI/CD pipelines trust environment variables implicitly. Injecting or modifying them can hijack builds, steal secrets, and compromise deployments.

Jun 20, 20224 min read
DevSecOps

ESLint Security Rules Configuration: A Practical Guide

ESLint can catch security issues before they reach production. Here is how to configure security-focused rules that actually help without drowning you in noise.

Jun 20, 20225 min read
DevSecOps

Flux CD GitOps Security Practices

Hardening Flux CD deployments with multi-tenancy, RBAC, secret encryption, and image verification for secure GitOps workflows.

Jun 18, 20225 min read
DevSecOps

Software Provenance Tracking: From Source to Production

Software provenance answers the question: where did this code come from, who built it, and can I trust it? In 2022, provenance tracking moved from academic concept to practical necessity.

May 28, 20226 min read
DevSecOps

Feature Flags Security Implications

Understanding the security risks of feature flag systems and how to prevent unauthorized flag manipulation, data exposure, and configuration drift.

May 8, 20226 min read
DevSecOps

CI/CD Pipeline Audit Logging: What to Capture and Why

Your CI/CD pipeline is a high-value target. Without proper audit logging, you will not know when it has been compromised until it is too late.

Apr 28, 20226 min read
DevSecOps

Ephemeral Environments for Security Testing: A Modern Approach

Ephemeral environments — short-lived, on-demand copies of your application stack — are transforming how teams approach security testing. No more fighting over shared staging environments.

Apr 25, 20225 min read
DevSecOps

Temp File Race Conditions in Build Systems: The TOCTOU Problem

Build systems create and process temporary files constantly. Race conditions in temp file handling can be exploited to inject malicious content into builds.

Apr 15, 20225 min read
DevSecOps

SBOM Automation in CI/CD Pipelines: A Hands-On Guide

Generating SBOMs manually is unsustainable. Here's how to automate SBOM creation, validation, and distribution as part of your existing CI/CD pipeline with practical examples.

Apr 8, 20225 min read
DevSecOps

Software Supply Chain Security for Startups: A Practical Guide

You don't need a massive security team to get supply chain security right. Here's a pragmatic, prioritized approach for startups that balances risk reduction with engineering velocity.

Feb 15, 20226 min read
DevSecOps (Page 31) — Supply Chain Security Blog | Safeguard