Safeguard
Topic

DevSecOps

In-depth guides and analysis on devsecops from the Safeguard engineering team.

378 articles

DevSecOps

Why NVD alone is not enough: the case for multi-source vulnerability intelligence

NIST now fully enriches a fraction of CVEs — on April 15, 2026 it moved to a triage model that leaves most of 2025's 48,185 published CVEs without a timely severity score.

Jul 7, 20267 min read
DevSecOps

Pre-Commit Security Hooks: Catch Problems Before They're Committed

The cheapest place to catch a security issue is before the commit exists. Here is how to set up pre-commit security hooks that give developers instant feedback without slowing them down.

Jul 6, 20266 min read
DevSecOps

Securing CI/CD Secrets: OIDC, Scanning, and Short-Lived Credentials

CI/CD secrets are the crown jewels attackers go after — the CircleCI breach forced every customer to rotate everything. This guide covers secret sprawl, scanning, OIDC federation, and killing long-lived credentials for good.

Jul 6, 20266 min read
DevSecOps

Threat Modeling for Developers: A Lightweight Practical Guide

Threat modeling doesn't need a two-day workshop. A developer-friendly 2026 guide to modeling threats with the four-question framework and STRIDE — fast enough to run on a feature branch.

Jul 6, 20265 min read
DevSecOps

Azure Pipelines Security: Stop Treating YAML as Config

An Azure Pipeline is a program with attacker-controllable input, not a config file. This guide covers macro injection, task and template pinning, environment approvals, workload identity federation, and adding scanning.

Jul 5, 20266 min read
DevSecOps

Secrets Scanning: Stop Leaking Credentials Before They Ship

A leaked API key in Git history is compromised the moment it is pushed — deleting the commit does not help. Here is how to build secrets scanning across your whole lifecycle, from pre-commit to Git history.

Jul 5, 20267 min read
DevSecOps

How to Build a Security Champions Program That Lasts

A security champions program scales AppSec without scaling headcount — if it's built right. A 2026 playbook for recruiting, enabling, and retaining champions, plus the metrics that prove it works.

Jul 5, 20265 min read
DevSecOps

CircleCI Security Best Practices After the 2023 Breach

The January 2023 CircleCI incident forced every customer to rotate every secret. Here is what it taught us — plus hardened config.yml examples for orb pinning, restricted contexts, OIDC, and adding scanning.

Jul 4, 20266 min read
DevSecOps

Dependency Management Best Practices for Secure Software

Your app is mostly other people's code. A 2026 guide to managing dependencies securely — lockfiles, provenance, SBOMs, update strategy, and reachability — so a bad package doesn't become your breach.

Jul 4, 20265 min read
DevSecOps

Policy as Code for Security: A Practical Guide

When your security rules live in a wiki, they are advice. When they live in version-controlled code the pipeline enforces, they are controls. Here is how to move security policy into code that actually runs.

Jul 4, 20266 min read
DevSecOps

Jenkins Pipeline Security: Hardening the Controller and Your Builds

Jenkins is a favorite target because the controller holds every credential and runs arbitrary Groovy. This guide covers CVE-2024-23897, the plugin attack surface, credential handling, ephemeral agents, and adding scanning.

Jul 3, 20266 min read
DevSecOps

SBOMs in the CI/CD Pipeline: From Generation to Actually Useful

Generating an SBOM is easy. Making it answer 'are we affected by this CVE, and where?' in seconds is the part most teams skip. Here is how to build SBOMs into your pipeline so they earn their keep.

Jul 3, 20266 min read
DevSecOps (Page 5) — Supply Chain Security Blog | Safeguard