Safeguard
Tag

ci-cd-security

Safeguard articles tagged "ci-cd-security" — guides, analysis, and best practices for software supply chain and application security.

186 articles

Buyer's Guides

Best container image scanning tools

A practical comparison of container image scanning tools — Trivy, Grype, Snyk, Docker Scout, Clair, and Anchore — with real strengths, limits, and how to pick one.

Nov 17, 20257 min read
Buyer's Guides

Best CI/CD pipeline security tools

A fair, no-hype buyer's guide to CI/CD pipeline security tools: what to evaluate, six real vendors compared, and where Safeguard fits in the stack.

Nov 15, 20258 min read
Buyer's Guides

Best GitHub Actions security scanning tools

A practical, no-hype comparison of GitHub Actions security tools — Zizmor, StepSecurity, Scorecard, Checkov, GitGuardian, and Legit Security — plus what to evaluate before you buy.

Nov 15, 20257 min read
Incident Analysis

Codecov Bash Uploader supply chain breach

A look back at the 2021 Codecov Bash Uploader breach: how a tampered CI script exfiltrated secrets for two months, and what it teaches about supply chain risk.

Nov 8, 20257 min read
Incident Analysis

3CX desktop app supply chain compromise

A breakdown of the 3CX supply chain compromise: how Lazarus-linked attackers poisoned a signed desktop build via a nested vendor attack chain.

Nov 7, 20257 min read
Incident Analysis

GitHub Actions supply chain risk report

A look at the tj-actions/changed-files compromise and the broader trend of GitHub Actions supply chain attacks — and what security teams should do now.

Nov 5, 20257 min read
Cloud Security

CI/CD pipeline security vulnerability trends

CI/CD pipelines now hold the keys attackers want most. Here's what tj-actions, Ultralytics, and Jenkins CVE-2024-23897 reveal about the trend.

Nov 3, 20257 min read
Software Supply Chain Security

Unapproved Change Risk in the Software Supply Chain

How unreviewed code, dependency, and pipeline changes create supply chain breaches like SolarWinds and XZ Utils - and how to detect them before attackers do.

Nov 2, 20258 min read
Industry Analysis

Session Persistence Security Risks

CircleCI, Okta, Sourcegraph, and Codecov were all breached the same way: a session token outlived the trust that created it. Here's how session persistence becomes a supply chain risk.

Nov 1, 20258 min read
DevSecOps

Shift-Left Security Testing in Practice

Shift-left security testing means catching vulnerabilities at commit time instead of at deployment — here's what that actually looks like on a working pipeline, not just the slogan.

Sep 17, 20255 min read
Concepts

What is Secretless Authentication in CI/CD

Secretless authentication replaces stored CI credentials with short-lived OIDC tokens minted per job. Here's the trust-policy plumbing, provider support, and the pitfalls.

Sep 16, 20257 min read
Application Security

How Snyk Code's incremental scanning speeds up repeated s...

Snyk Code speeds up repeat SAST scans on large codebases by re-analyzing only changed files instead of the whole repository each time.

Sep 10, 20257 min read
ci-cd-security (Page 12) — Safeguard Blog