Safeguard
Tag

ci-cd-security

Safeguard articles tagged "ci-cd-security" — guides, analysis, and best practices for software supply chain and application security.

186 articles

Product

Why Security Debt Accumulates Fastest in the Most 'Produc...

High-velocity engineering teams accumulate the most security debt, not the least. Here's why speed hides risk — and how to catch it without slowing down.

Jul 23, 20257 min read
DevSecOps

Policy Bypass Culture: What Happens When Deadlines Beat G...

When deadlines collide with security gates, developers bypass them quietly and often. Here's how policy bypass culture forms, what it costs, and how to stop it.

Jul 18, 20258 min read
Concepts

What is a Build Cache Poisoning Attack

Build cache poisoning plants malicious entries in a shared CI cache so trusted builds unknowingly consume attacker-controlled artifacts. Here's the mechanics and the fixes.

Jul 14, 20256 min read
DevSecOps

DevOps Security Best Practices: Shifting Left Without Slowing Down

Shift left fails when it means shifting friction left. Here are the DevOps security best practices that catch issues early while keeping pipelines fast enough that engineers leave the gates on.

Jun 24, 20256 min read
Guides

How to Vet a GitHub Action Before You Trust It with Secrets

Third-party Actions run with your repo's token and secrets. A vetting routine: read the source at the pinned SHA, audit the bundled dist, scope permissions, and contain egress.

Jun 22, 20256 min read
Concepts

What is a Trusted Publisher (PyPI and npm)

A trusted publisher lets your CI workflow publish packages with short-lived OIDC tokens instead of stored API keys. Here's how it works on PyPI and where npm stands.

May 21, 20257 min read
Cloud Security

Cloud Application Security Best Practices

Five layers cover most of the risk in cloud apps: identity, secrets, artifact scanning, pipeline gates, and runtime guardrails. Here is how to build each one without slowing delivery.

Apr 16, 20255 min read
Containers

Dockerfile Best Practices: Security, Size, and Build Speed

Most Dockerfiles are copy-pasted from a tutorial and never revisited. Here's what actually shrinks image size, closes the common security holes, and speeds up rebuilds.

Apr 14, 20255 min read
Vulnerability Analysis

GitLab Pipeline Execution Vulnerability CVE-2024-6678: Running Pipelines as Any User

CVE-2024-6678 allowed attackers to trigger GitLab CI/CD pipelines as arbitrary users, potentially accessing secrets and deploying malicious code through impersonated pipeline runs.

Sep 12, 20246 min read
DevSecOps

Jenkins + Maven Integration Security

Jenkins is still the most common Maven build driver in enterprise Java shops. It is also where most supply chain incidents start. Here is what to change before it becomes your problem.

Sep 8, 20247 min read
Engineering

A Beginner's Guide to Threat Modeling Your Build Pipeline

Your CI system is a production system with worse access controls. A first threat model of the pipeline takes one whiteboard session and usually finds something ugly.

Aug 25, 20247 min read
Supply Chain Security

GitHub Actions Artifact Poisoning: A Growing Supply Chain Attack Vector

Researchers disclosed techniques to poison GitHub Actions artifacts, enabling code execution in CI/CD pipelines of downstream projects. The attack exploits trust assumptions in artifact sharing.

Aug 12, 20247 min read
ci-cd-security (Page 14) — Safeguard Blog