Safeguard
Topic

DevSecOps

In-depth guides and analysis on devsecops from the Safeguard engineering team.

378 articles

DevSecOps

Building a secure CI/CD pipeline with GitHub Actions

The tj-actions breach exposed secrets in 23,000 repos. Here's how pwn requests, unpinned tags, and self-hosted runners put your CI/CD at risk.

May 18, 20267 min read
DevSecOps

Securing self-hosted GitHub Actions runners

Self-hosted GitHub Actions runners trade GitHub's ephemeral isolation for persistent infrastructure access — here's how real incidents like CVE-2025-30066 exploited that gap.

May 17, 20267 min read
DevSecOps

Shifting security left: what it really means for teams

Shift left security means catching vulnerabilities at commit time, not audit time. Here's what that requires in practice, with real CVEs and numbers.

May 15, 20266 min read
DevSecOps

npm Trusted Publishing walkthrough: retiring long-lived publish tokens

npm Trusted Publishing replaces long-lived publish tokens with short-lived OIDC-issued credentials tied to a specific CI workflow. Here is the 2026 rollout state, what the migration actually looks like, and where the rough edges still are.

May 14, 20269 min read
DevSecOps

npm provenance attestations walkthrough for 2026

npm provenance ties a published package to the specific GitHub Actions run that built it, signed through sigstore. Here is how to enable it for a publisher, verify it on the install side, and enforce it in CI without breaking your release process.

May 13, 20269 min read
DevSecOps

Flux CD vs Argo CD: Security Comparison for 2026

A security-focused comparison of Flux 2.5 and Argo CD 3.1: trust models, multi-tenancy, secret handling, signature verification, and the operational differences.

May 13, 20266 min read
DevSecOps

Argo CD Image Updater Security Considerations in 2026

How Argo CD Image Updater works, the security tradeoffs of automated image promotion, and the configuration patterns that prevent supply chain incidents.

May 6, 20266 min read
DevSecOps

Azure DevOps Pipeline Supply Chain Hardening 2026

A 2026 hardening guide for Azure DevOps Pipelines: service connections, workload identity federation, approval gates, agent isolation, and SLSA integration.

May 6, 20265 min read
DevSecOps

Checkmarx Zero Trust Deployment Guide 2026

A practical Checkmarx zero trust deployment guide for 2026: integrating Checkmarx One into a zero-trust SDLC with policy gates, identity, and signed artifacts.

May 2, 20265 min read
DevSecOps

Semantic Reachability vs Call-Graph Reachability in 2026

Call graphs say a function is reachable. Semantic reachability asks whether the preconditions for exploitation hold. The difference matters for prioritization.

Apr 29, 20266 min read
DevSecOps

GitHub secret scanning vs dedicated scanning tools

GitHub secret scanning vs Trivy: how push protection, validity checks, and multi-source coverage differ, and where Safeguard fits for cross-repo remediation.

Apr 28, 20267 min read
DevSecOps

Annual DevSecOps maturity benchmark report

Safeguard's 2026 DevSecOps Maturity Benchmark finds detection at an all-time high but remediation stuck at a 19-day median — here's what separates the top-quartile programs.

Apr 23, 20267 min read
DevSecOps (Page 8) — Supply Chain Security Blog | Safeguard