ci-cd
Safeguard articles tagged "ci-cd" — guides, analysis, and best practices for software supply chain and application security.
153 articles
DevSecOps best practices for secure builds: an 8-point SDLC framework
Log4Shell (Dec 2021) and the XZ Utils backdoor (Mar 2024) exposed two different SDLC failure modes. An 8-point framework closes both.
Policy as Code: Enforcing Cloud Security Guardrails in CI/CD Instead of Manual Review
OPA reached CNCF Graduated status in January 2021 — yet most teams still catch misconfigured IAM roles by eyeballing a pull request.
Where Security Gates Belong in Your CI/CD Pipeline
23.8 million secrets leaked on public GitHub in 2024 alone. The fix isn't more scanners — it's putting the right gate at the right stage and tuning out the noise.
Scanning AI-Generated Code Before It Merges: Wiring Scanners into Coding Assistants with MCP
Research found ~40% of Copilot suggestions were vulnerable, and devs using AI assistants trusted their code more. MCP lets you scan before merge.
Reconstructing the tj-actions/changed-files compromise
CVE-2025-30066 hit CISA's KEV list within 3 days: 23,000+ repos ran a poisoned GitHub Action that dumped CI secrets straight into public build logs.
OIDC vs Static Credentials in CI/CD (2026 Guide)
Static secrets in CI are the credential most likely to be stolen — as the CircleCI breach proved. OIDC federation issues short-lived, per-run credentials with nothing to leak. Here is how to make the switch.
Automating container image vulnerability scans in GitHub Actions
A fail-the-build scanning pipeline is a few YAML lines away — but pin the Action wrong and you inherit its supply chain risk too.
DevSecOps on AWS: a reference architecture for CI/CD security gates
Amazon Inspector, CodePipeline manual approvals, and SLSA v1.0 (April 2023) give you the primitives — but nobody ships them wired together as one gated pipeline.
A reference architecture for SAST, SCA, and DAST gates that don't block developers
Log4Shell sat exploitable for 8 days before public disclosure in December 2021 — the canonical case for why security gates belong in CI, not just at release.
Shifting Infrastructure-as-Code security left across the SDLC
Terrascan went archived in November 2025 and tfsec folded into Trivy in 2024 — IaC scanning is consolidating fast, and where you run it matters as much as which tool you pick.
Wiring dependency and SAST scanning into your JavaScript CLI workflow
npm audit has shipped for free since npm 6 in 2018, yet most JavaScript teams still find out about vulnerable dependencies in a Slack alert, not a failed commit.
Rego for intermediates: combining rules with AND/OR and writing actionable error messages
Rego has no `&&` or `||` operators — AND is implicit, OR means writing the same rule twice, and most teams miss both until a policy silently passes.