DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
Why NVD alone is not enough: the case for multi-source vulnerability intelligence
NIST now fully enriches a fraction of CVEs — on April 15, 2026 it moved to a triage model that leaves most of 2025's 48,185 published CVEs without a timely severity score.
Pre-Commit Security Hooks: Catch Problems Before They're Committed
The cheapest place to catch a security issue is before the commit exists. Here is how to set up pre-commit security hooks that give developers instant feedback without slowing them down.
Securing CI/CD Secrets: OIDC, Scanning, and Short-Lived Credentials
CI/CD secrets are the crown jewels attackers go after — the CircleCI breach forced every customer to rotate everything. This guide covers secret sprawl, scanning, OIDC federation, and killing long-lived credentials for good.
Threat Modeling for Developers: A Lightweight Practical Guide
Threat modeling doesn't need a two-day workshop. A developer-friendly 2026 guide to modeling threats with the four-question framework and STRIDE — fast enough to run on a feature branch.
Azure Pipelines Security: Stop Treating YAML as Config
An Azure Pipeline is a program with attacker-controllable input, not a config file. This guide covers macro injection, task and template pinning, environment approvals, workload identity federation, and adding scanning.
Secrets Scanning: Stop Leaking Credentials Before They Ship
A leaked API key in Git history is compromised the moment it is pushed — deleting the commit does not help. Here is how to build secrets scanning across your whole lifecycle, from pre-commit to Git history.
How to Build a Security Champions Program That Lasts
A security champions program scales AppSec without scaling headcount — if it's built right. A 2026 playbook for recruiting, enabling, and retaining champions, plus the metrics that prove it works.
CircleCI Security Best Practices After the 2023 Breach
The January 2023 CircleCI incident forced every customer to rotate every secret. Here is what it taught us — plus hardened config.yml examples for orb pinning, restricted contexts, OIDC, and adding scanning.
Dependency Management Best Practices for Secure Software
Your app is mostly other people's code. A 2026 guide to managing dependencies securely — lockfiles, provenance, SBOMs, update strategy, and reachability — so a bad package doesn't become your breach.
Policy as Code for Security: A Practical Guide
When your security rules live in a wiki, they are advice. When they live in version-controlled code the pipeline enforces, they are controls. Here is how to move security policy into code that actually runs.
Jenkins Pipeline Security: Hardening the Controller and Your Builds
Jenkins is a favorite target because the controller holds every credential and runs arbitrary Groovy. This guide covers CVE-2024-23897, the plugin attack surface, credential handling, ephemeral agents, and adding scanning.
SBOMs in the CI/CD Pipeline: From Generation to Actually Useful
Generating an SBOM is easy. Making it answer 'are we affected by this CVE, and where?' in seconds is the part most teams skip. Here is how to build SBOMs into your pipeline so they earn their keep.