Safeguard
Tag

ci-cd

Safeguard articles tagged "ci-cd" — guides, analysis, and best practices for software supply chain and application security.

153 articles

Security Guides

GitHub Token Security (2026 Guide)

GitHub tokens are keys to your source, your CI, and often your cloud. This guide covers PATs, fine-grained tokens, GitHub App and Actions tokens — and how to scope, store, and rotate them after the CircleCI and Heroku token thefts.

Jul 3, 20266 min read
Tutorials

How to Add Security Scanning to Your CI/CD Pipeline

Wire dependency, container, and secret scanning into GitHub Actions or GitLab CI as a required check that blocks risky merges — with working workflow files and sensible thresholds.

Jul 3, 20266 min read
Solutions

Software Supply Chain Security for DevOps Teams

DevOps teams own the pipeline, and the pipeline is now the primary target. Here is how to secure build, artifact, and deploy without turning delivery speed into collateral damage.

Jul 3, 20266 min read
Buyer's Guides

The Best DevSecOps Tools in 2026

DevSecOps is a category with fuzzy edges. This balanced guide compares GitHub Advanced Security, GitLab, Snyk, Semgrep, Aqua, and Safeguard on how they actually fit into pipelines — with honest tradeoffs and a framework for choosing.

Jul 2, 20266 min read
Supply Chain Attacks

Megalodon: 5,561 GitHub Repos Backdoored via Injected Actions Workflows (May 2026)

In a six-hour window on May 18, 2026, an automated campaign pushed malicious GitHub Actions workflows into 5,561 repositories using credentials harvested by infostealers. We break down the attack chain, the workflow_dispatch dormancy trick, and CI detection.

May 23, 202612 min read
DevSecOps

Mutable Tags Strike Again: actions-cool GitHub Action Tags Redirected to Imposter Commits (May 2026)

In May 2026, every tag on actions-cool/issues-helper and 15 tags on maintain-one-comment were quietly moved to point at imposter commits that stole CI/CD credentials from runner memory. A look at the mutable-tag attack class and how to defeat it.

May 21, 202610 min read
Software Supply Chain Security

TanStack's Build Pipeline Got Hijacked and Still Signed Valid SLSA Provenance (May 2026)

On May 11, 2026, attackers chained a pull_request_target abuse, cache poisoning, and OIDC token theft to publish 84 malicious @tanstack npm versions from TanStack's own trusted pipeline. It is the first npm compromise to carry valid SLSA provenance.

May 15, 202611 min read
DevSecOps

Azure DevOps Pipeline Supply Chain Hardening 2026

A 2026 hardening guide for Azure DevOps Pipelines: service connections, workload identity federation, approval gates, agent isolation, and SLSA integration.

May 6, 20265 min read
Supply Chain Attacks

tj-actions Supply Chain Attack March 2025: A Postmortem

The tj-actions/changed-files compromise exposed CI secrets across thousands of public repositories. A postmortem on the attack chain and the GitHub Actions trust model.

Apr 28, 20265 min read
AI Security

Building an Eval Suite for Your Security LLM Workflows

If you use an LLM anywhere in your security program — triage, remediation, detection — you need an eval suite with the same rigor as your test suite. Here is a concrete harness: datasets, thresholds, CI gates, and drift detection.

Apr 22, 20268 min read
Guides

How to Harden a Dockerfile in 10 Practical Steps

Ten concrete Dockerfile changes — digest pinning, multi-stage builds, non-root users, BuildKit secrets, SBOM attestations — that remove whole classes of container risk.

Apr 20, 20266 min read
DevSecOps

Drone CI Supply Chain Hardening 2026

A 2026 hardening guide for Drone CI: plugin trust, runner isolation, signed pipelines, secret scoping, and integrating Drone with SLSA and sigstore.

Apr 19, 20266 min read
ci-cd (Page 3) — Safeguard Blog