Safeguard
Tag

ci-cd-security

Safeguard articles tagged "ci-cd-security" — guides, analysis, and best practices for software supply chain and application security.

186 articles

Supply Chain Attacks

Anatomy of the Codecov Bash Uploader compromise

A single altered line in Codecov's Bash Uploader ran undetected for 65 days, siphoning CI secrets from thousands of pipelines before anyone noticed.

Jul 16, 20266 min read
Supply Chain Attacks

The elementary-data hijack: when a dbt observability tool became a credential harvester

A hijacked GitHub Actions token let attackers publish a backdoored elementary-data release that stole cloud, warehouse, and SSH credentials.

Jul 16, 20266 min read
AI Security

When the Scanner Is the Backdoor: The LiteLLM Trivy Attack

On March 19, 2026, TeamPCP hijacked Trivy's GitHub Action to steal LiteLLM's PyPI token, then shipped a backdoored release, CVE-2026-33634, CVSS 9.4.

Jul 16, 20266 min read
Supply Chain Attacks

Postmortem: The Bun-Based Stealer Inside SAP's @cap-js and mbt Packages

Four SAP npm packages shipped a Bun-executed credential stealer on April 29, 2026 — a look at how it evaded Node-centric detection and what actually stops it.

Jul 16, 20266 min read
DevSecOps

Secure SDLC: A Practical Guide to Embedding Security Gates in Every Phase

NIST finalized the Secure Software Development Framework in February 2022, yet most teams still bolt security on at release. Here's where the gates actually belong.

Jul 16, 20267 min read
Supply Chain Attacks

Lessons from the CircleCI 2023 secrets breach

A stolen session cookie bypassed 2FA and let attackers read secrets from live memory. CircleCI's own timeline shows what fast rotation actually requires.

Jul 15, 20267 min read
Best Practices

AppSec anti-patterns to eliminate

23.8M secrets leaked on public GitHub in 2024 alone. Here are the AppSec anti-patterns behind numbers like that — and the concrete practices that replace them.

Jul 14, 20266 min read
Supply Chain Security

A four-surface framework for software supply-chain risk

Supply-chain attacks are up 650% year over year, per the SLSA framework — yet most teams still map risk to one surface instead of four.

Jul 14, 20267 min read
Application Security

Integrating C/C++ security scanning into CI pipelines

Roughly 70% of CVEs Microsoft assigns each year are memory-safety bugs. Here's how to catch them in C/C++ CI pipelines before they ship.

Jul 13, 20267 min read
DevSecOps

Securing Playwright E2E Tests in GitHub Actions Without Leaking Secrets

A 2025 supply-chain attack on tj-actions/changed-files hit 23,000+ repos and dumped secrets into public logs — the same CI patterns power most Playwright pipelines.

Jul 12, 20267 min read
DevSecOps

Writing Rego policies for Kubernetes admission control and CI gates

Open Policy Agent graduated CNCF on Jan 29, 2021 — yet most teams still ship Rego with no default-deny, turning a policy gate into a rubber stamp.

Jul 11, 20268 min read
AI Security

Least-privilege scoping for AI agents with write access to code, CI, and cloud

OWASP's 2025 LLM Top 10 names Excessive Agency a top risk; a single over-scoped CI token already dumped secrets from 23,000+ repos in 2025.

Jul 10, 20268 min read
ci-cd-security — Safeguard Blog