Safeguard
Tag

ci-cd

Safeguard articles tagged "ci-cd" — guides, analysis, and best practices for software supply chain and application security.

153 articles

Open Source Security

npm Provenance Statements in Practice (2026)

A practical look at npm provenance in 2026: what statements prove, how to publish them from CI, and where they quietly fail when teams treat them as magic.

Jan 22, 20266 min read
DevSecOps

Pre-commit Hook Security Gotchas You'll Hit

Pre-commit hooks feel like a free security win until you ship them at scale. Here are the failure modes, trust boundaries, and escape hatches that bite.

Jan 20, 20266 min read
DevSecOps

From DevOps to DevSecOps: A Practical Shift-Left Guide

Shift-left security doesn't mean dumping security tools on developers. Here's a practical guide to integrating security into your development workflow without killing velocity.

Jan 20, 20263 min read
DevSecOps

Secrets Management in CI Pipelines: 2026 Guide

Rotating tokens, OIDC federation, and scoped runners are table stakes in 2026. Here is how senior engineers design CI secrets that do not leak on bad days.

Jan 16, 20267 min read
Concepts

What Is a Build Artifact?

A build artifact is the packaged output your build process produces from source code. Here is why artifacts are a critical supply chain checkpoint and how to verify their provenance.

Dec 2, 20256 min read
DevSecOps

What Is a DevOps Pipeline? Stages, Tools, and Security Gates

A DevOps pipeline is the automated path code takes from commit to production. Here are the stages every pipeline shares, the tools teams actually use, and where security gates belong.

Sep 17, 20255 min read
Engineering

Securing GitHub Actions Reusable Workflows at Scale

Reusable workflows centralize CI logic — and centralize compromise. Pinning, secrets scoping, org policy, and the review process that keeps one bad merge from owning 400 repos.

Sep 14, 20256 min read
Open Source Security

How Snyk's .snyk file structures ignore rules with expiry...

How Snyk's .snyk file encodes vulnerability ignore rules using reason and expiry date fields, and what happens in CI once an exception lapses.

Aug 23, 20257 min read
Open Source Security

How the --policy-path option centralizes ignore rules acr...

A technical look at how Snyk's --policy-path flag lets teams share one .snyk ignore file across repos instead of duplicating exceptions everywhere.

Aug 22, 20256 min read
DevSecOps

DevOps Maturity Models, Explained

What a devops maturity model actually measures, why devops mttr alone is a weak proxy for maturity, and how teams can measure whether devops delivery value is improving.

Aug 21, 20255 min read
DevSecOps

How Snyk CLI's --severity-threshold and --fail-on flags g...

How Snyk CLI severity-threshold and fail-on flags filter and gate vulnerability findings, plus exit codes and common CI/CD misconfigurations.

Aug 17, 20257 min read
DevSecOps

How the Snyk CLI's exit codes are structured for CI/CD fa...

A mechanical look at how the Snyk CLI's 0/1/2/3 exit codes work, how --severity-threshold and --fail-on change them, and how to branch on them correctly in CI/CD.

Aug 15, 20257 min read
ci-cd (Page 8) — Safeguard Blog