Safeguard
Tag

ci-cd-security

Safeguard articles tagged "ci-cd-security" — guides, analysis, and best practices for software supply chain and application security.

186 articles

Container Security

Scanning container images in CI/CD pipelines

Where to put container image scanning in your CI/CD pipeline, what it actually catches, and how to stop CVE floods from blocking every build.

Jun 27, 20267 min read
Application Security

Secrets detection and remediation best practices

Leaked API keys still cause breaches within minutes. Here's how secrets detection and remediation should work in practice, and where scanner-only tools fall short.

Jun 26, 20268 min read
Container Security

Helm chart security scanning

Helm charts can render insecure RBAC, network policies, and default passwords even when the container image itself passes every vulnerability scan cleanly.

Jun 24, 20267 min read
Guides

How to Secure a Monorepo Without Slowing Every Team Down

Monorepo security fails when every check runs on every commit. Path-filtered CI, CODEOWNERS, per-workspace scanning, and merge queues fix that.

Jun 24, 20266 min read
DevSecOps

DevSecOps and CI/CD pipeline security

CI/CD pipelines are now a prime attack surface. Here's what Checkmarx's SAST-first approach misses, and how Safeguard secures the full pipeline.

Jun 24, 20267 min read
Supply Chain Security

CVE-2026-45321: Anatomy of the TanStack npm and PyPI Supply Chain Worm

The Mini Shai-Hulud worm hit TanStack, Mistral AI, UiPath and 170+ npm and PyPI packages by hijacking a trusted release pipeline mid-run. Here is how the software supply chain attack actually worked, and what it changes.

Jun 23, 20267 min read
Threat Intelligence

TeamPCP: Running a Software Supply Chain Attack Like a Production Pipeline

TeamPCP (UNC6780) is the most active actor in the 2026 supply chain corpus, weaponizing the tools developers trust most. Here is how the operation works, and why a zero-CVE campaign breaks the model most teams still rely on.

Jun 23, 20267 min read
Supply Chain Security

IronWorm: A Rust eBPF Rootkit Worm Hits the npm Supply Chain

IronWorm is a compiled Rust npm worm with a kernel-level eBPF rootkit, Tor C2, and OIDC-based self-propagation. It is the engineering ceiling of 2026 software supply chain attacks — and it carries no CVE.

Jun 22, 20267 min read
Supply Chain Security

PyTorch Lightning PyPI Compromise: A Software Supply Chain Attack Built to Drain ML Credentials

In April 2026, attackers pushed malicious versions of the lightning PyPI package and an npm intercom-client release, harvesting cloud, CI/CD, and GitHub credentials. Here is what happened and why ML tooling is now a prime supply chain target.

Jun 20, 20266 min read
Supply Chain Security

eBPF Rootkits Go Mainstream: Inside IronWorm and the Kernel-Level Turn in Supply Chain Malware

IronWorm shipped a kernel-level eBPF rootkit inside dozens of npm packages, hiding the very processes your security tools rely on seeing. Here is what changed, and how to detect kernel-level supply chain malware before it blinds you.

Jun 16, 20267 min read
DevSecOps

Azure DevOps pipeline security best practices

A practical guide to the six Azure DevOps pipeline settings attackers exploit most, with exact controls to fix fork triggers, secrets, and agents.

Jun 16, 20267 min read
Buyer's Guides

Best Secrets Scanning Tools in 2026: An Honest Buyer's Guide

An honest, engineer-first guide to the best secrets scanning tools in 2026 — Gitleaks, TruffleHog, detect-secrets, GitGuardian, Kingfisher, and where a supply chain platform fits — with a clear 'best for' line for each.

Jun 9, 20268 min read
ci-cd-security (Page 5) — Safeguard Blog