ci-cd
Safeguard articles tagged "ci-cd" — guides, analysis, and best practices for software supply chain and application security.
153 articles
GitHub Token Security (2026 Guide)
GitHub tokens are keys to your source, your CI, and often your cloud. This guide covers PATs, fine-grained tokens, GitHub App and Actions tokens — and how to scope, store, and rotate them after the CircleCI and Heroku token thefts.
How to Add Security Scanning to Your CI/CD Pipeline
Wire dependency, container, and secret scanning into GitHub Actions or GitLab CI as a required check that blocks risky merges — with working workflow files and sensible thresholds.
Software Supply Chain Security for DevOps Teams
DevOps teams own the pipeline, and the pipeline is now the primary target. Here is how to secure build, artifact, and deploy without turning delivery speed into collateral damage.
The Best DevSecOps Tools in 2026
DevSecOps is a category with fuzzy edges. This balanced guide compares GitHub Advanced Security, GitLab, Snyk, Semgrep, Aqua, and Safeguard on how they actually fit into pipelines — with honest tradeoffs and a framework for choosing.
Megalodon: 5,561 GitHub Repos Backdoored via Injected Actions Workflows (May 2026)
In a six-hour window on May 18, 2026, an automated campaign pushed malicious GitHub Actions workflows into 5,561 repositories using credentials harvested by infostealers. We break down the attack chain, the workflow_dispatch dormancy trick, and CI detection.
Mutable Tags Strike Again: actions-cool GitHub Action Tags Redirected to Imposter Commits (May 2026)
In May 2026, every tag on actions-cool/issues-helper and 15 tags on maintain-one-comment were quietly moved to point at imposter commits that stole CI/CD credentials from runner memory. A look at the mutable-tag attack class and how to defeat it.
TanStack's Build Pipeline Got Hijacked and Still Signed Valid SLSA Provenance (May 2026)
On May 11, 2026, attackers chained a pull_request_target abuse, cache poisoning, and OIDC token theft to publish 84 malicious @tanstack npm versions from TanStack's own trusted pipeline. It is the first npm compromise to carry valid SLSA provenance.
Azure DevOps Pipeline Supply Chain Hardening 2026
A 2026 hardening guide for Azure DevOps Pipelines: service connections, workload identity federation, approval gates, agent isolation, and SLSA integration.
tj-actions Supply Chain Attack March 2025: A Postmortem
The tj-actions/changed-files compromise exposed CI secrets across thousands of public repositories. A postmortem on the attack chain and the GitHub Actions trust model.
Building an Eval Suite for Your Security LLM Workflows
If you use an LLM anywhere in your security program — triage, remediation, detection — you need an eval suite with the same rigor as your test suite. Here is a concrete harness: datasets, thresholds, CI gates, and drift detection.
How to Harden a Dockerfile in 10 Practical Steps
Ten concrete Dockerfile changes — digest pinning, multi-stage builds, non-root users, BuildKit secrets, SBOM attestations — that remove whole classes of container risk.
Drone CI Supply Chain Hardening 2026
A 2026 hardening guide for Drone CI: plugin trust, runner isolation, signed pipelines, secret scoping, and integrating Drone with SLSA and sigstore.