ci-cd-security
Safeguard articles tagged "ci-cd-security" — guides, analysis, and best practices for software supply chain and application security.
186 articles
Why Security Debt Accumulates Fastest in the Most 'Produc...
High-velocity engineering teams accumulate the most security debt, not the least. Here's why speed hides risk — and how to catch it without slowing down.
Policy Bypass Culture: What Happens When Deadlines Beat G...
When deadlines collide with security gates, developers bypass them quietly and often. Here's how policy bypass culture forms, what it costs, and how to stop it.
What is a Build Cache Poisoning Attack
Build cache poisoning plants malicious entries in a shared CI cache so trusted builds unknowingly consume attacker-controlled artifacts. Here's the mechanics and the fixes.
DevOps Security Best Practices: Shifting Left Without Slowing Down
Shift left fails when it means shifting friction left. Here are the DevOps security best practices that catch issues early while keeping pipelines fast enough that engineers leave the gates on.
How to Vet a GitHub Action Before You Trust It with Secrets
Third-party Actions run with your repo's token and secrets. A vetting routine: read the source at the pinned SHA, audit the bundled dist, scope permissions, and contain egress.
What is a Trusted Publisher (PyPI and npm)
A trusted publisher lets your CI workflow publish packages with short-lived OIDC tokens instead of stored API keys. Here's how it works on PyPI and where npm stands.
Cloud Application Security Best Practices
Five layers cover most of the risk in cloud apps: identity, secrets, artifact scanning, pipeline gates, and runtime guardrails. Here is how to build each one without slowing delivery.
Dockerfile Best Practices: Security, Size, and Build Speed
Most Dockerfiles are copy-pasted from a tutorial and never revisited. Here's what actually shrinks image size, closes the common security holes, and speeds up rebuilds.
GitLab Pipeline Execution Vulnerability CVE-2024-6678: Running Pipelines as Any User
CVE-2024-6678 allowed attackers to trigger GitLab CI/CD pipelines as arbitrary users, potentially accessing secrets and deploying malicious code through impersonated pipeline runs.
Jenkins + Maven Integration Security
Jenkins is still the most common Maven build driver in enterprise Java shops. It is also where most supply chain incidents start. Here is what to change before it becomes your problem.
A Beginner's Guide to Threat Modeling Your Build Pipeline
Your CI system is a production system with worse access controls. A first threat model of the pipeline takes one whiteboard session and usually finds something ugly.
GitHub Actions Artifact Poisoning: A Growing Supply Chain Attack Vector
Researchers disclosed techniques to poison GitHub Actions artifacts, enabling code execution in CI/CD pipelines of downstream projects. The attack exploits trust assumptions in artifact sharing.