Safeguard
Tag

ci-cd-security

Safeguard articles tagged "ci-cd-security" — guides, analysis, and best practices for software supply chain and application security.

186 articles

DevSecOps

CI/CD Supply Chain Attacks Explained: Anatomy and Defense

From SolarWinds to tj-actions, CI/CD pipelines are where one foothold reaches thousands of victims. This guide explains the anatomy of a pipeline supply chain attack and the layered defenses that stop it.

Jul 7, 20267 min read
DevSecOps

Security Regression Testing: Make Sure Fixed Vulnerabilities Stay Fixed

A vulnerability you patched last quarter that quietly comes back this quarter is worse than one you never fixed — because you thought it was handled. Here is how to build security regression testing that keeps fixes fixed.

Jul 7, 20266 min read
Career

How to Become a DevSecOps Engineer in 2026

The DevSecOps engineer role blends development, operations, and security into one high-demand job. Here is what it involves, what it pays attention to, and a practical, mostly free path to landing one.

Jul 6, 20266 min read
DevSecOps

Securing CI/CD Secrets: OIDC, Scanning, and Short-Lived Credentials

CI/CD secrets are the crown jewels attackers go after — the CircleCI breach forced every customer to rotate everything. This guide covers secret sprawl, scanning, OIDC federation, and killing long-lived credentials for good.

Jul 6, 20266 min read
Software Supply Chain Security

The Codecov Bash uploader breach

How a Docker image flaw let attackers tamper with Codecov's Bash Uploader for 65 days, exfiltrating CI secrets from HashiCorp, Twilio, and more.

Jul 6, 20267 min read
DevSecOps

Azure Pipelines Security: Stop Treating YAML as Config

An Azure Pipeline is a program with attacker-controllable input, not a config file. This guide covers macro injection, task and template pinning, environment approvals, workload identity federation, and adding scanning.

Jul 5, 20266 min read
DevSecOps

Secrets Scanning: Stop Leaking Credentials Before They Ship

A leaked API key in Git history is compromised the moment it is pushed — deleting the commit does not help. Here is how to build secrets scanning across your whole lifecycle, from pre-commit to Git history.

Jul 5, 20267 min read
Threat Research

Build Pipeline Compromise: When the Factory Ships the Malware

A build pipeline compromise injects malicious code during CI/CD, so the software you sign and ship is already backdoored. Here is how it works and how to defend.

Jul 4, 20266 min read
DevSecOps

CircleCI Security Best Practices After the 2023 Breach

The January 2023 CircleCI incident forced every customer to rotate every secret. Here is what it taught us — plus hardened config.yml examples for orb pinning, restricted contexts, OIDC, and adding scanning.

Jul 4, 20266 min read
Threat Research

Lessons from the Codecov Breach: When Your CI Secrets Walk Out the Door

For two months in 2021, Codecov's Bash Uploader quietly exfiltrated CI environment variables. Here is how a single trusted script became a mass credential-harvesting operation.

Jul 4, 20266 min read
Container Security

Scanning Docker Images in CI/CD Pipelines

Scanning a container after it deploys is an incident report. Scanning it in the pipeline is a one-line diff. Here is how to gate builds on image scans without drowning developers in false positives.

Jul 4, 20265 min read
Container Security

Container Image Scanning Best Practices

A practical guide to container image scanning: when to scan, what to block, what scanners like Snyk miss, and how to build a policy that actually gets remediated.

Jul 4, 20268 min read
ci-cd-security (Page 3) — Safeguard Blog