Safeguard
Tag

ci-cd-security

Safeguard articles tagged "ci-cd-security" — guides, analysis, and best practices for software supply chain and application security.

186 articles

DevSecOps

Jenkins Pipeline Security: Hardening the Controller and Your Builds

Jenkins is a favorite target because the controller holds every credential and runs arbitrary Groovy. This guide covers CVE-2024-23897, the plugin attack surface, credential handling, ephemeral agents, and adding scanning.

Jul 3, 20266 min read
Software Supply Chain Security

Mini Shai-Hulud AntV npm packages compromise

A compromised npm maintainer account pushed 639 malicious @antv package versions in 10 minutes, stealing CI/CD secrets via a fake OpenTelemetry channel.

Jul 3, 20267 min read
DevSecOps

SBOMs in the CI/CD Pipeline: From Generation to Actually Useful

Generating an SBOM is easy. Making it answer 'are we affected by this CVE, and where?' in seconds is the part most teams skip. Here is how to build SBOMs into your pipeline so they earn their keep.

Jul 3, 20266 min read
Software Supply Chain Security

tj-actions/changed-files GitHub Action compromise

How the tj-actions/changed-files GitHub Action compromise (CVE-2025-30066) leaked CI/CD secrets from 23,000+ repos, and how to prevent it.

Jul 3, 20266 min read
Software Supply Chain Security

The Ultralytics AI pwn request supply chain attack

How a malicious pull request, a poisoned GitHub Actions cache, and a stored PyPI token turned the Ultralytics YOLO package into a cryptominer.

Jul 3, 20267 min read
Container Security

Container Image Scanning: A Practical Guide

Scanning a container image is easy. Scanning it at the right moment, cutting the false positives, and gating deploys on the result is where most programs fall apart.

Jul 2, 20266 min read
DevSecOps

GitHub Actions Security Hardening: A Practical Checklist

GitHub Actions runs arbitrary code with access to your secrets and repos. A hands-on hardening guide — SHA pinning, least-privilege GITHUB_TOKEN, OIDC, and runner protection — with copy-paste YAML.

Jul 2, 20265 min read
DevSecOps

GitLab CI Security Best Practices for 2026

GitLab CI hands every job a CI_JOB_TOKEN, a runner, and your variables. This guide covers the real attack surface — remote includes, token scope, privileged runners — with hardened .gitlab-ci.yml examples, OIDC, and scanning.

Jul 2, 20266 min read
DevSecOps

Security Gates in CI/CD: How to Block Risk Without Blocking Delivery

A security gate that fails every build gets disabled by Friday. Here is how to design CI/CD security gates that stop real risk, stay fast, and keep developers on your side.

Jul 2, 20266 min read
DevSecOps

CI/CD Pipeline Security Best Practices for 2026

Your build pipeline is production-adjacent infrastructure with credentials to everything. Here are the CI/CD security practices — mapped to the OWASP Top 10 CI/CD risks — that actually close the gaps attackers use.

Jul 1, 20265 min read
DevSecOps

GitHub Actions Supply Chain Security: A 2026 Hardening Guide

GitHub Actions runs with your secrets and write access to your repo. This guide maps the real attack surface — from the tj-actions compromise to script injection — and gives you copy-paste hardening, OIDC, and scanning.

Jul 1, 20266 min read
Career

How to Learn DevSecOps in 2026: A Beginner's Roadmap

DevSecOps is one of the most hireable skill sets in software today. Here is a practical, mostly free roadmap for students and career-changers—the mindset, the skills, the resources, and the portfolio that gets you hired.

Jul 1, 20267 min read
ci-cd-security (Page 4) — Safeguard Blog