Safeguard
Tag

ci-cd-security

Safeguard articles tagged "ci-cd-security" — guides, analysis, and best practices for software supply chain and application security.

186 articles

DevSecOps

Securing AWS CodePipeline and CodeBuild against supply ch...

CodePipeline and CodeBuild sit where code, secrets, and compute converge unattended — here's where supply chain attacks actually enter and how to close the gaps.

Jan 20, 20267 min read
DevSecOps

Using GCP Workload Identity Federation for keyless CI/CD ...

GCP Workload Identity Federation lets CI/CD pipelines authenticate with short-lived tokens instead of service account keys. Here's how it works and how to migrate.

Jan 12, 20267 min read
DevSecOps

Securing Cloud Build pipelines and generating SLSA proven...

How to secure Cloud Build supply chain security with least-privilege service accounts and SLSA provenance so tampered builds never reach production.

Jan 10, 20267 min read
Vulnerability Analysis

CI/CD pipeline supply chain attacks explained

A breakdown of how CI/CD supply chain attacks work, from SolarWinds to the 2025 tj-actions/changed-files breach, and how to detect and stop them.

Dec 7, 20256 min read
Vulnerability Analysis

Argument injection vulnerabilities explained

How argument injection (CWE-88) vulnerabilities work, real CVEs like PHPMailer and Git ssh URLs, and how teams detect and prevent CWE-88 flaws.

Dec 1, 20257 min read
DevSecOps

The tj-actions/changed-files GitHub Action Supply Chain C...

CVE-2025-30066 exposed how a compromised tj-actions/changed-files GitHub Action leaked CI/CD secrets into build logs across 23,000+ repos. Timeline, impact, and fixes.

Dec 1, 20258 min read
DevSecOps

Jenkins CLI Java Deserialization Remote Code Execution (C...

CVE-2017-1000353 let attackers gain unauthenticated RCE on Jenkins via CLI Java deserialization. Here's the impact, timeline, and how to remediate it.

Nov 26, 20258 min read
DevSecOps

Jenkins Script Security Sandbox Bypass Leading to RCE (CV...

CVE-2019-1003029 let attackers escape the Jenkins Script Security sandbox and execute arbitrary code via crafted Groovy pipeline scripts.

Nov 25, 20258 min read
DevSecOps

Jenkins Arbitrary File Read via Crafted CLI Command (CVE-...

CVE-2018-1999002 let attackers read arbitrary files from Jenkins masters via crafted requests to the Stapler framework, exposing secrets and credentials.

Nov 25, 20258 min read
DevSecOps

GitLab Unauthenticated RCE via ExifTool Image Processing ...

CVE-2021-22205 let attackers gain unauthenticated RCE on self-hosted GitLab via ExifTool image parsing. Here's the affected versions, severity, timeline, and fixes.

Nov 24, 20257 min read
Buyer's Guides

Best secrets scanning tools for CI/CD pipelines

A practical, no-hype comparison of secrets scanning tools for CI/CD: what gitleaks, TruffleHog, and GitGuardian catch, and where each one falls short.

Nov 18, 20259 min read
Industry Analysis

Best SLSA-compliant build systems

A fair comparison of SLSA compliant build systems—GitHub Actions, Cloud Build, GitLab, Tekton Chains—with real strengths and limitations for Build Level 3.

Nov 18, 20258 min read
ci-cd-security (Page 11) — Safeguard Blog