Safeguard
Tag

ci-cd

Safeguard articles tagged "ci-cd" — guides, analysis, and best practices for software supply chain and application security.

153 articles

DevSecOps

DevOps Metrics That Security Teams Should Watch Too

Deploy frequency and lead time aren't just engineering KPIs — read alongside vulnerability data, they tell security teams exactly where risk is accumulating.

Feb 11, 20265 min read
DevSecOps

Reproducible Builds: Why Bother in 2026?

Reproducible builds used to feel academic. After a decade of supply chain attacks, they are the shortest path from an SBOM to a verifiable artifact. Here is the case.

Feb 10, 20267 min read
Emerging Technology

GitLab OIDC Token Theft: Workflow Research

GitLab CI OIDC tokens are becoming the keys to cloud kingdoms. Recent research shows how workflow misconfigurations leak them in surprising ways.

Feb 8, 20268 min read
DevSecOps

Secure Defaults for Internal Developer Platforms

An IDP that makes the secure path the easy path wins. One that requires engineers to opt into security loses. Here is how to ship defaults that actually stick.

Feb 6, 20267 min read
DevSecOps

Dev Container Security Posture (incl. Dotfiles)

Dev containers promise reproducibility and isolation. They also pull in a long tail of scripts, dotfiles, and feature repos that most teams never audit. Here is how to fix that.

Feb 2, 20267 min read
DevSecOps

What is a Security Gate

A security gate blocks a build or deploy the moment it fails a policy check. Here's what gates actually check, where to place them, and why most fail.

Feb 2, 20266 min read
DevSecOps

SBOM Review in Pull Request Workflows

An SBOM that arrives after merge is a compliance artifact. An SBOM that shows up in the PR is a security control. Here is how to wire it up without killing velocity.

Jan 28, 20266 min read
Cloud Security

Azure DevOps Supply Chain Hardening Guide

A senior engineer's 2026 playbook for hardening Azure DevOps against the supply chain attacks that actually happen: extensions, service connections, and template injection.

Jan 27, 20267 min read
DevSecOps

DevOps Pipeline Tools: A Buyer's Map by Stage

DevOps pipeline tools cluster around six stages of the software lifecycle — mapping a shortlist to the stage it actually serves prevents the most common buying mistake: overlap without coverage.

Jan 27, 20265 min read
DevSecOps

GitHub Actions: SHA-Pin Tags or Get Burned

Tag-pinning Actions feels fine until a maintainer gets compromised. Here is why SHA-pinning is the only serious option in 2026 and how to operationalize it.

Jan 24, 20266 min read
Incident Analysis

Codecov Bash Uploader 2021: A Supply Chain Retrospective

The Codecov bash uploader compromise was the quiet supply chain attack that exposed how CI secrets flow through every customer's pipeline. A five-year look back.

Jan 22, 20265 min read
Cloud Security

AWS CodeBuild/CodePipeline Hardening in 2026

CodeBuild and CodePipeline still carry the biggest AWS supply chain blast radius per dollar. Here is how to harden them in 2026 without rewriting to a different CI.

Jan 22, 20267 min read
ci-cd (Page 7) — Safeguard Blog