DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
Reducing developer friction in AppSec adoption
Why traditional SAST tooling like Checkmarx creates developer friction, what it costs engineering teams, and how to build developer experience application security that ships.
Azure DevOps pipeline security best practices
A practical guide to the six Azure DevOps pipeline settings attackers exploit most, with exact controls to fix fork triggers, secrets, and agents.
DevOps vs DevSecOps: what actually changes when you add s...
DevOps vs DevSecOps isn't a mindset shift — it's specific new artifacts, gates, and ownership. Here's what changes, contrasted with JFrog's artifact-first model.
Policy-as-code for CI/CD: enforcing security gates withou...
How policy-as-code turns security gates from build-breaking friction into fast, git-versioned CI/CD checks — and where Safeguard's approach differs from JFrog's Xray and Curation model.
Best DevSecOps tools to secure the SDLC
Comparing the best DevSecOps tools to secure the SDLC: Mend.io's SCA-first platform vs Safeguard's reachability-driven, supply-chain-wide approach.
Mutable Tags Strike Again: actions-cool GitHub Action Tags Redirected to Imposter Commits (May 2026)
In May 2026, every tag on actions-cool/issues-helper and 15 tags on maintain-one-comment were quietly moved to point at imposter commits that stole CI/CD credentials from runner memory. A look at the mutable-tag attack class and how to defeat it.
Top 8 DevSecOps best practices
Log4Shell and the xz backdoor show why DevSecOps matters. Eight concrete practices — from reachability triage to auto-fix PRs — teams can implement now.
How to implement DevSecOps in 4 steps
A concrete, 4-step playbook for implementing DevSecOps — pipeline gating, SBOM generation, reachability-based triage, and auto-fix PRs.
DevSecOps automation: principles, frameworks, and tools
A practical breakdown of DevSecOps automation frameworks — principles, standards like NIST SSDF, and the tools that turn shift-left security into a repeatable pipeline.
The 4 best DevSecOps tools for a secure DevOps workflow
The 4 DevSecOps tool categories a secure pipeline needs — SCA, SAST, container/IaC scanning, secrets scanning — with real incidents and fixes.
Building a security-conscious CI/CD pipeline
CI/CD pipelines are now the top supply chain target. Here's how to build one with real controls—secrets, scoping, SBOMs, and provenance.
8 tips for securing your CI/CD pipeline
Real incidents like tj-actions and xz-utils show how CI/CD pipelines get compromised. Eight concrete, actionable tips to lock yours down.