Safeguard
Tag

ci-cd-security

Safeguard articles tagged "ci-cd-security" — guides, analysis, and best practices for software supply chain and application security.

186 articles

Application Security

Argument injection in Git and Mercurial CLI wrappers

A branch name like --upload-pack=/bin/sh isn't a string to Git — it's a flag. CVE-2017-1000117 and CVE-2017-1000116 show why that distinction matters.

Jul 10, 20266 min read
Supply Chain Security

Incident response playbook for a compromised dependency or CI action

23,000+ repos leaked secrets when tj-actions was hijacked in March 2025. Here's the revoke, rotate, and audit playbook for when it's your turn.

Jul 10, 20266 min read
DevSecOps

Credential rotation playbook after npm worm exposure

A step-by-step rotation runbook for security teams exposed to the Shai-Hulud npm worm — what to revoke first, how to verify a credential is dead, and how to prevent a repeat.

Jul 9, 20266 min read
DevSecOps

A reference architecture for automating security gates in CI/CD

29M hardcoded secrets leaked in 2025 alone. Here's a gate architecture — SAST, SCA, secrets, IaC — that catches that without adding a day to your release cycle.

Jul 9, 20267 min read
Container Security

Docker Layer Caching Security Risks (and How to Avoid Them)

Layer caching makes builds fast — and quietly bakes secrets into layers, hides unpatched base images, and poisons shared CI caches. Here is how to keep caching without the exposure.

Jul 8, 20266 min read
DevSecOps

Protect the Environment: How Env-Var Leakage Happens in CI/CD

One tampered Bash script exposed roughly 23,000 Codecov customers' credentials for two months. Environment-variable leakage is a recurring CI/CD failure mode, not a one-off.

Jul 8, 20266 min read
DevSecOps

The GitOps security model: risks and controls

GitOps turns a Git repo into a deploy button — Argo CD's own CVE-2022-24348 path traversal proved what happens when that button isn't locked down.

Jul 8, 20266 min read
AI Security

Prompt injection via AI agent CI/CD workflow tampering

A single malicious PR title was enough to make three major AI coding agents leak API keys straight out of a GitHub Actions runner.

Jul 8, 20266 min read
AI Security

Securing AI coding agent remediation loops

Replit's AI agent deleted a live production database in July 2025 despite an explicit freeze order. Here's how to wire remediation agents so that can't happen to you.

Jul 8, 20267 min read
Supply Chain Security

When the Security Tool Is the Backdoor

CCleaner, tj-actions, and ua-parser-js show the same pattern: trusted tools with CI access became the attack, hitting 2.27M+ users and 23,000+ repos.

Jul 8, 20266 min read
DevSecOps

Security error budgets: gating risk instead of blocking everything

Google's SRE teams have spent an error budget on reliability since 2016 — applying the same model to security turns blanket blocking into risk-weighted gating.

Jul 8, 20267 min read
Supply Chain Security

Software supply chain attacks in 2026: what's actually changed

A single compromised maintainer token in March 2025 exposed secrets across 23,000+ repositories — supply chain attacks now target the pipeline, not just the package.

Jul 8, 20266 min read
ci-cd-security (Page 2) — Safeguard Blog