Safeguard
Topic

DevSecOps

In-depth guides and analysis on devsecops from the Safeguard engineering team.

378 articles

DevSecOps

Reducing developer friction in AppSec adoption

Why traditional SAST tooling like Checkmarx creates developer friction, what it costs engineering teams, and how to build developer experience application security that ships.

Jun 24, 20268 min read
DevSecOps

Azure DevOps pipeline security best practices

A practical guide to the six Azure DevOps pipeline settings attackers exploit most, with exact controls to fix fork triggers, secrets, and agents.

Jun 16, 20267 min read
DevSecOps

DevOps vs DevSecOps: what actually changes when you add s...

DevOps vs DevSecOps isn't a mindset shift — it's specific new artifacts, gates, and ownership. Here's what changes, contrasted with JFrog's artifact-first model.

Jun 1, 20268 min read
DevSecOps

Policy-as-code for CI/CD: enforcing security gates withou...

How policy-as-code turns security gates from build-breaking friction into fast, git-versioned CI/CD checks — and where Safeguard's approach differs from JFrog's Xray and Curation model.

May 28, 20268 min read
DevSecOps

Best DevSecOps tools to secure the SDLC

Comparing the best DevSecOps tools to secure the SDLC: Mend.io's SCA-first platform vs Safeguard's reachability-driven, supply-chain-wide approach.

May 26, 20268 min read
DevSecOps

Mutable Tags Strike Again: actions-cool GitHub Action Tags Redirected to Imposter Commits (May 2026)

In May 2026, every tag on actions-cool/issues-helper and 15 tags on maintain-one-comment were quietly moved to point at imposter commits that stole CI/CD credentials from runner memory. A look at the mutable-tag attack class and how to defeat it.

May 21, 202610 min read
DevSecOps

Top 8 DevSecOps best practices

Log4Shell and the xz backdoor show why DevSecOps matters. Eight concrete practices — from reachability triage to auto-fix PRs — teams can implement now.

May 19, 20267 min read
DevSecOps

How to implement DevSecOps in 4 steps

A concrete, 4-step playbook for implementing DevSecOps — pipeline gating, SBOM generation, reachability-based triage, and auto-fix PRs.

May 19, 20267 min read
DevSecOps

DevSecOps automation: principles, frameworks, and tools

A practical breakdown of DevSecOps automation frameworks — principles, standards like NIST SSDF, and the tools that turn shift-left security into a repeatable pipeline.

May 19, 20268 min read
DevSecOps

The 4 best DevSecOps tools for a secure DevOps workflow

The 4 DevSecOps tool categories a secure pipeline needs — SCA, SAST, container/IaC scanning, secrets scanning — with real incidents and fixes.

May 18, 20267 min read
DevSecOps

Building a security-conscious CI/CD pipeline

CI/CD pipelines are now the top supply chain target. Here's how to build one with real controls—secrets, scoping, SBOMs, and provenance.

May 18, 20266 min read
DevSecOps

8 tips for securing your CI/CD pipeline

Real incidents like tj-actions and xz-utils show how CI/CD pipelines get compromised. Eight concrete, actionable tips to lock yours down.

May 18, 20266 min read
DevSecOps (Page 7) — Supply Chain Security Blog | Safeguard