ci-cd
Safeguard articles tagged "ci-cd" — guides, analysis, and best practices for software supply chain and application security.
153 articles
npm Provenance Statements in Practice (2026)
A practical look at npm provenance in 2026: what statements prove, how to publish them from CI, and where they quietly fail when teams treat them as magic.
Pre-commit Hook Security Gotchas You'll Hit
Pre-commit hooks feel like a free security win until you ship them at scale. Here are the failure modes, trust boundaries, and escape hatches that bite.
From DevOps to DevSecOps: A Practical Shift-Left Guide
Shift-left security doesn't mean dumping security tools on developers. Here's a practical guide to integrating security into your development workflow without killing velocity.
Secrets Management in CI Pipelines: 2026 Guide
Rotating tokens, OIDC federation, and scoped runners are table stakes in 2026. Here is how senior engineers design CI secrets that do not leak on bad days.
What Is a Build Artifact?
A build artifact is the packaged output your build process produces from source code. Here is why artifacts are a critical supply chain checkpoint and how to verify their provenance.
What Is a DevOps Pipeline? Stages, Tools, and Security Gates
A DevOps pipeline is the automated path code takes from commit to production. Here are the stages every pipeline shares, the tools teams actually use, and where security gates belong.
Securing GitHub Actions Reusable Workflows at Scale
Reusable workflows centralize CI logic — and centralize compromise. Pinning, secrets scoping, org policy, and the review process that keeps one bad merge from owning 400 repos.
How Snyk's .snyk file structures ignore rules with expiry...
How Snyk's .snyk file encodes vulnerability ignore rules using reason and expiry date fields, and what happens in CI once an exception lapses.
How the --policy-path option centralizes ignore rules acr...
A technical look at how Snyk's --policy-path flag lets teams share one .snyk ignore file across repos instead of duplicating exceptions everywhere.
DevOps Maturity Models, Explained
What a devops maturity model actually measures, why devops mttr alone is a weak proxy for maturity, and how teams can measure whether devops delivery value is improving.
How Snyk CLI's --severity-threshold and --fail-on flags g...
How Snyk CLI severity-threshold and fail-on flags filter and gate vulnerability findings, plus exit codes and common CI/CD misconfigurations.
How the Snyk CLI's exit codes are structured for CI/CD fa...
A mechanical look at how the Snyk CLI's 0/1/2/3 exit codes work, how --severity-threshold and --fail-on change them, and how to branch on them correctly in CI/CD.