Safeguard
Tag

ci-cd

Safeguard articles tagged "ci-cd" — guides, analysis, and best practices for software supply chain and application security.

153 articles

DevSecOps

GitLab CI Supply Chain Hardening Checklist 2026

A 2026 hardening checklist for GitLab CI: ID tokens, protected branches, runner isolation, included templates, and the controls that actually shrink blast radius.

Mar 19, 20265 min read
Incident Analysis

PyPI Trusted Publishing Token Leaks in 2025

Trusted Publishing made PyPI safer, but leaked short-lived OIDC tokens in CI logs kicked off a credential-replay campaign that PyPI, GitHub, and Sonatype all tracked in 2025.

Mar 19, 20268 min read
Emerging Technology

GitHub Actions Cache Poisoning Attack Class 2025

GitHub Actions caches were never designed as a trust boundary. In 2025 researchers turned that mismatch into a repeatable supply-chain attack pattern.

Mar 17, 20268 min read
DevSecOps

Security Champions Program For Shift-Left 2026

Security champions are the human layer that makes shift-left work. A 2026 program design for selecting, training, and retaining champions in engineering.

Mar 15, 20268 min read
Emerging Technology

Confused Deputy Attacks on CI/CD Service Accounts

Build systems hold broad trust and tight deadlines, which makes them perfect confused deputies. Here is how the attack pattern shows up in modern CI/CD and how to defang it.

Mar 15, 20268 min read
Compliance

CI/CD Audit Pipeline Checklist 2026

An auditor's checklist for CI/CD pipelines in 2026 covering build provenance, secret management, runner isolation, and the evidence to collect for SOC 2 and FedRAMP.

Mar 14, 20265 min read
DevSecOps

GitHub Actions Supply Chain Hardening Checklist 2026

A pragmatic 2026 hardening checklist for GitHub Actions: OIDC, pinned actions, environment protection, reusable workflows, and the controls that actually move risk.

Mar 12, 20265 min read
Incident Analysis

tj-actions Compromise: One Year Retrospective

A year after the tj-actions/changed-files compromise leaked CI secrets across thousands of GitHub repos, what did we fix and what is still dangerously convenient?

Mar 12, 20268 min read
DevSecOps

Developer Onboarding Supply Chain Controls Template

The first week is when developers form their habits. A template for onboarding new engineers into supply chain controls without overwhelming them.

Mar 10, 20268 min read
Best Practices

How to Generate an SBOM with GitHub Actions (2026)

SBOMs are a compliance table-stakes artifact in 2026. Here is a production GitHub Actions workflow that generates, signs, and attests a CycloneDX SBOM on every release.

Mar 6, 20266 min read
Best Practices

How to Detect Malicious npm Packages: A Workflow

A practical detection workflow for malicious npm packages: install-time signals, registry heuristics, reachability checks, and CI gates that actually block attacks.

Mar 6, 20267 min read
DevSecOps

Metrics Developers Care About: Secure By Default

Most security metrics are built for the security team. A guide to picking metrics that developers will actually act on, with examples from secure-by-default workflows.

Mar 5, 20268 min read
ci-cd (Page 5) — Safeguard Blog