DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
Building a secure CI/CD pipeline with GitHub Actions
The tj-actions breach exposed secrets in 23,000 repos. Here's how pwn requests, unpinned tags, and self-hosted runners put your CI/CD at risk.
Securing self-hosted GitHub Actions runners
Self-hosted GitHub Actions runners trade GitHub's ephemeral isolation for persistent infrastructure access — here's how real incidents like CVE-2025-30066 exploited that gap.
Shifting security left: what it really means for teams
Shift left security means catching vulnerabilities at commit time, not audit time. Here's what that requires in practice, with real CVEs and numbers.
npm Trusted Publishing walkthrough: retiring long-lived publish tokens
npm Trusted Publishing replaces long-lived publish tokens with short-lived OIDC-issued credentials tied to a specific CI workflow. Here is the 2026 rollout state, what the migration actually looks like, and where the rough edges still are.
npm provenance attestations walkthrough for 2026
npm provenance ties a published package to the specific GitHub Actions run that built it, signed through sigstore. Here is how to enable it for a publisher, verify it on the install side, and enforce it in CI without breaking your release process.
Flux CD vs Argo CD: Security Comparison for 2026
A security-focused comparison of Flux 2.5 and Argo CD 3.1: trust models, multi-tenancy, secret handling, signature verification, and the operational differences.
Argo CD Image Updater Security Considerations in 2026
How Argo CD Image Updater works, the security tradeoffs of automated image promotion, and the configuration patterns that prevent supply chain incidents.
Azure DevOps Pipeline Supply Chain Hardening 2026
A 2026 hardening guide for Azure DevOps Pipelines: service connections, workload identity federation, approval gates, agent isolation, and SLSA integration.
Checkmarx Zero Trust Deployment Guide 2026
A practical Checkmarx zero trust deployment guide for 2026: integrating Checkmarx One into a zero-trust SDLC with policy gates, identity, and signed artifacts.
Semantic Reachability vs Call-Graph Reachability in 2026
Call graphs say a function is reachable. Semantic reachability asks whether the preconditions for exploitation hold. The difference matters for prioritization.
GitHub secret scanning vs dedicated scanning tools
GitHub secret scanning vs Trivy: how push protection, validity checks, and multi-source coverage differ, and where Safeguard fits for cross-repo remediation.
Annual DevSecOps maturity benchmark report
Safeguard's 2026 DevSecOps Maturity Benchmark finds detection at an all-time high but remediation stuck at a 19-day median — here's what separates the top-quartile programs.