DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
Sigstore and Cosign: Software Signing for the Rest of Us
Sigstore makes software signing accessible by eliminating the pain of key management. Here's how Cosign, Fulcio, and Rekor work together to verify software integrity.
GitHub Actions Security: Hidden Supply Chain Risks
GitHub Actions workflows execute third-party code with access to your repository secrets. Most teams don't realize how much trust they're placing in action authors.
SLSA Framework Introduction: Securing Supply Chain Integrity
Google's SLSA framework provides a graduated model for supply chain integrity, from basic provenance to fully verified builds. Here's how it works and why it matters.
DevSecOps Maturity Model: Where Does Your Organization Stand?
Most teams claim they've adopted DevSecOps. Few have actually matured beyond running a scanner in CI. Here's a practical maturity model to figure out where you really are.
Securing CI/CD Pipelines from Supply Chain Attacks
CI/CD pipelines are the new attack surface. From poisoned dependencies to compromised build tools, here's how to lock down your software delivery infrastructure.
Why Software Bill of Materials Matter
SBOMs are the foundation of software supply chain security. Without knowing what's in your software, you can't secure it. Here's why SBOMs matter and how to get started.