ci-cd-security
Safeguard articles tagged "ci-cd-security" — guides, analysis, and best practices for software supply chain and application security.
186 articles
Jenkins Pipeline Security: Hardening the Controller and Your Builds
Jenkins is a favorite target because the controller holds every credential and runs arbitrary Groovy. This guide covers CVE-2024-23897, the plugin attack surface, credential handling, ephemeral agents, and adding scanning.
Mini Shai-Hulud AntV npm packages compromise
A compromised npm maintainer account pushed 639 malicious @antv package versions in 10 minutes, stealing CI/CD secrets via a fake OpenTelemetry channel.
SBOMs in the CI/CD Pipeline: From Generation to Actually Useful
Generating an SBOM is easy. Making it answer 'are we affected by this CVE, and where?' in seconds is the part most teams skip. Here is how to build SBOMs into your pipeline so they earn their keep.
tj-actions/changed-files GitHub Action compromise
How the tj-actions/changed-files GitHub Action compromise (CVE-2025-30066) leaked CI/CD secrets from 23,000+ repos, and how to prevent it.
The Ultralytics AI pwn request supply chain attack
How a malicious pull request, a poisoned GitHub Actions cache, and a stored PyPI token turned the Ultralytics YOLO package into a cryptominer.
Container Image Scanning: A Practical Guide
Scanning a container image is easy. Scanning it at the right moment, cutting the false positives, and gating deploys on the result is where most programs fall apart.
GitHub Actions Security Hardening: A Practical Checklist
GitHub Actions runs arbitrary code with access to your secrets and repos. A hands-on hardening guide — SHA pinning, least-privilege GITHUB_TOKEN, OIDC, and runner protection — with copy-paste YAML.
GitLab CI Security Best Practices for 2026
GitLab CI hands every job a CI_JOB_TOKEN, a runner, and your variables. This guide covers the real attack surface — remote includes, token scope, privileged runners — with hardened .gitlab-ci.yml examples, OIDC, and scanning.
Security Gates in CI/CD: How to Block Risk Without Blocking Delivery
A security gate that fails every build gets disabled by Friday. Here is how to design CI/CD security gates that stop real risk, stay fast, and keep developers on your side.
CI/CD Pipeline Security Best Practices for 2026
Your build pipeline is production-adjacent infrastructure with credentials to everything. Here are the CI/CD security practices — mapped to the OWASP Top 10 CI/CD risks — that actually close the gaps attackers use.
GitHub Actions Supply Chain Security: A 2026 Hardening Guide
GitHub Actions runs with your secrets and write access to your repo. This guide maps the real attack surface — from the tj-actions compromise to script injection — and gives you copy-paste hardening, OIDC, and scanning.
How to Learn DevSecOps in 2026: A Beginner's Roadmap
DevSecOps is one of the most hireable skill sets in software today. Here is a practical, mostly free roadmap for students and career-changers—the mindset, the skills, the resources, and the portfolio that gets you hired.