DevSecOps
In-depth guides and analysis on devsecops from the Safeguard engineering team.
378 articles
Developer survey: security friction in the SDLC
A new Safeguard survey of 540 developers finds most have shipped code with known security warnings, driven by alert fatigue and manual SBOM work.
Zarf Air-Gap Deployment: A 2026 Walkthrough
How Zarf 0.45 packages and deploys Kubernetes workloads into disconnected environments, where the design works well, and the operational realities to plan for.
Drone CI Supply Chain Hardening 2026
A 2026 hardening guide for Drone CI: plugin trust, runner isolation, signed pipelines, secret scoping, and integrating Drone with SLSA and sigstore.
AWS CodePipeline Supply Chain Defence 2026
AWS CodePipeline is where most AWS-native supply chain attacks land in 2026. This is the defence blueprint that actually works in production accounts.
Shift-Left Without Friction: Dev Experience 2026
Shift-left only works when developers stop noticing it. A 2026 playbook for moving supply chain checks earlier without burning the people who ship code.
Developer infrastructure posture: integrating ASPM early
Prisma Cloud built ASPM outward from the cloud. Real breaches like tj-actions and SolarWinds start earlier, in developer infrastructure that needs its own continuous posture model.
Azure DevOps Pipeline Supply Chain Controls
Azure DevOps pipelines hold more production deploy power than any other system in many enterprises. The 2026 supply chain controls are not optional anymore.
Kubernetes and Infrastructure as Code security
Prisma Cloud pioneered infrastructure as code security scanning for Kubernetes, but alert fatigue and weak commit-level traceability leave real gaps. Here's how to close them.
What Is the CI/CD Pipeline (and CI/CD security)?
CI/CD pipelines now hold more privileged access than any other system — yet they're the least monitored. Here's what CI/CD pipeline security really requires.
IDE-Time Feedback Loop For Supply Chain
The editor is the highest-leverage place to catch supply chain risk. A design guide for building IDE-time feedback that developers actually want.
CircleCI Orb Trust and Pinning in 2026
How to manage CircleCI orb trust in 2026: certified versus uncertified orbs, version pinning, contexts, OIDC, and the controls that hold under real attacker pressure.
What is DevSecOps
DevSecOps embeds security into every pipeline stage instead of a final review — here's what it means, how it works, and why Equifax and Log4Shell made it mandatory.