ci-cd-security
Safeguard articles tagged "ci-cd-security" — guides, analysis, and best practices for software supply chain and application security.
186 articles
Scanning container images in CI/CD pipelines
Where to put container image scanning in your CI/CD pipeline, what it actually catches, and how to stop CVE floods from blocking every build.
Secrets detection and remediation best practices
Leaked API keys still cause breaches within minutes. Here's how secrets detection and remediation should work in practice, and where scanner-only tools fall short.
Helm chart security scanning
Helm charts can render insecure RBAC, network policies, and default passwords even when the container image itself passes every vulnerability scan cleanly.
How to Secure a Monorepo Without Slowing Every Team Down
Monorepo security fails when every check runs on every commit. Path-filtered CI, CODEOWNERS, per-workspace scanning, and merge queues fix that.
DevSecOps and CI/CD pipeline security
CI/CD pipelines are now a prime attack surface. Here's what Checkmarx's SAST-first approach misses, and how Safeguard secures the full pipeline.
CVE-2026-45321: Anatomy of the TanStack npm and PyPI Supply Chain Worm
The Mini Shai-Hulud worm hit TanStack, Mistral AI, UiPath and 170+ npm and PyPI packages by hijacking a trusted release pipeline mid-run. Here is how the software supply chain attack actually worked, and what it changes.
TeamPCP: Running a Software Supply Chain Attack Like a Production Pipeline
TeamPCP (UNC6780) is the most active actor in the 2026 supply chain corpus, weaponizing the tools developers trust most. Here is how the operation works, and why a zero-CVE campaign breaks the model most teams still rely on.
IronWorm: A Rust eBPF Rootkit Worm Hits the npm Supply Chain
IronWorm is a compiled Rust npm worm with a kernel-level eBPF rootkit, Tor C2, and OIDC-based self-propagation. It is the engineering ceiling of 2026 software supply chain attacks — and it carries no CVE.
PyTorch Lightning PyPI Compromise: A Software Supply Chain Attack Built to Drain ML Credentials
In April 2026, attackers pushed malicious versions of the lightning PyPI package and an npm intercom-client release, harvesting cloud, CI/CD, and GitHub credentials. Here is what happened and why ML tooling is now a prime supply chain target.
eBPF Rootkits Go Mainstream: Inside IronWorm and the Kernel-Level Turn in Supply Chain Malware
IronWorm shipped a kernel-level eBPF rootkit inside dozens of npm packages, hiding the very processes your security tools rely on seeing. Here is what changed, and how to detect kernel-level supply chain malware before it blinds you.
Azure DevOps pipeline security best practices
A practical guide to the six Azure DevOps pipeline settings attackers exploit most, with exact controls to fix fork triggers, secrets, and agents.
Best Secrets Scanning Tools in 2026: An Honest Buyer's Guide
An honest, engineer-first guide to the best secrets scanning tools in 2026 — Gitleaks, TruffleHog, detect-secrets, GitGuardian, Kingfisher, and where a supply chain platform fits — with a clear 'best for' line for each.