ci-cd-security
Safeguard articles tagged "ci-cd-security" — guides, analysis, and best practices for software supply chain and application security.
186 articles
Anatomy of the Codecov Bash Uploader compromise
A single altered line in Codecov's Bash Uploader ran undetected for 65 days, siphoning CI secrets from thousands of pipelines before anyone noticed.
The elementary-data hijack: when a dbt observability tool became a credential harvester
A hijacked GitHub Actions token let attackers publish a backdoored elementary-data release that stole cloud, warehouse, and SSH credentials.
When the Scanner Is the Backdoor: The LiteLLM Trivy Attack
On March 19, 2026, TeamPCP hijacked Trivy's GitHub Action to steal LiteLLM's PyPI token, then shipped a backdoored release, CVE-2026-33634, CVSS 9.4.
Postmortem: The Bun-Based Stealer Inside SAP's @cap-js and mbt Packages
Four SAP npm packages shipped a Bun-executed credential stealer on April 29, 2026 — a look at how it evaded Node-centric detection and what actually stops it.
Secure SDLC: A Practical Guide to Embedding Security Gates in Every Phase
NIST finalized the Secure Software Development Framework in February 2022, yet most teams still bolt security on at release. Here's where the gates actually belong.
Lessons from the CircleCI 2023 secrets breach
A stolen session cookie bypassed 2FA and let attackers read secrets from live memory. CircleCI's own timeline shows what fast rotation actually requires.
AppSec anti-patterns to eliminate
23.8M secrets leaked on public GitHub in 2024 alone. Here are the AppSec anti-patterns behind numbers like that — and the concrete practices that replace them.
A four-surface framework for software supply-chain risk
Supply-chain attacks are up 650% year over year, per the SLSA framework — yet most teams still map risk to one surface instead of four.
Integrating C/C++ security scanning into CI pipelines
Roughly 70% of CVEs Microsoft assigns each year are memory-safety bugs. Here's how to catch them in C/C++ CI pipelines before they ship.
Securing Playwright E2E Tests in GitHub Actions Without Leaking Secrets
A 2025 supply-chain attack on tj-actions/changed-files hit 23,000+ repos and dumped secrets into public logs — the same CI patterns power most Playwright pipelines.
Writing Rego policies for Kubernetes admission control and CI gates
Open Policy Agent graduated CNCF on Jan 29, 2021 — yet most teams still ship Rego with no default-deny, turning a policy gate into a rubber stamp.
Least-privilege scoping for AI agents with write access to code, CI, and cloud
OWASP's 2025 LLM Top 10 names Excessive Agency a top risk; a single over-scoped CI token already dumped secrets from 23,000+ repos in 2025.