azure-devops
Safeguard articles tagged "azure-devops" — guides, analysis, and best practices for software supply chain and application security.
11 articles
Azure Pipelines Security: Stop Treating YAML as Config
An Azure Pipeline is a program with attacker-controllable input, not a config file. This guide covers macro injection, task and template pinning, environment approvals, workload identity federation, and adding scanning.
GitHub Advanced Security for Azure DevOps: general availa...
GitHub Advanced Security for Azure DevOps hit GA on June 1, 2023 at $49/committer/month. Here's what it covers, what it misses, and how Safeguard fills the gaps.
Azure DevOps pipeline security best practices
A practical guide to the six Azure DevOps pipeline settings attackers exploit most, with exact controls to fix fork triggers, secrets, and agents.
Azure DevOps Pipeline Supply Chain Hardening 2026
A 2026 hardening guide for Azure DevOps Pipelines: service connections, workload identity federation, approval gates, agent isolation, and SLSA integration.
Azure DevOps Personal Access Tokens in 2026: Rotation, Scoping, and Replacement
PATs remain the most common credential leak in Azure DevOps incidents. We trace the patterns that actually reduce risk and the migration paths that retire them entirely.
Azure DevOps Supply Chain Hardening Guide
A senior engineer's 2026 playbook for hardening Azure DevOps against the supply chain attacks that actually happen: extensions, service connections, and template injection.
Securing Azure DevOps pipelines against supply chain comp...
Pipelines now hold more privilege than the apps they build. Here's how Azure DevOps pipeline security actually breaks down—and how to close the gaps.
Signing container images and generating SBOMs in Azure pi...
A practical walkthrough for Azure container image signing with Notation and ACR content trust, plus generating SBOMs inside Azure DevOps pipelines.
OpenSSF Scorecard v5.1: Azure DevOps Support and File-Mode Selection
Scorecard v5.1 added experimental Azure DevOps repository support and a new --file-mode flag that materially changes how repository files are fetched.
Azure DevOps YAML Pipeline Hardening
A practical, line-by-line walk through hardening Azure DevOps YAML pipelines — template injection, task version pinning, approvals, and the defaults that will bite you.
Azure DevOps Supply Chain Risks: Securing Your Microsoft CI/CD Pipeline
Azure DevOps pipelines present unique supply chain risks from marketplace extensions to service connections. A breakdown of the attack surface and how to harden it.