ci-cd
Safeguard articles tagged "ci-cd" — guides, analysis, and best practices for software supply chain and application security.
153 articles
Git Branching Strategies With Security Gates
Trunk-based, GitHub Flow, or GitFlow — your branching model decides where security checks can actually block bad code. Here is how to wire gates into each.
DAST Tools for DevSecOps Teams
The best DAST tools for DevSecOps teams run inside CI/CD rather than as a separate pre-launch step, and Gartner's own analysis of the DAST market backs that shift as the defining trend.
CVE-2025-47884 in Jenkins OpenID Connect Provider: Patch Posture & SBOM Response
Jenkins OIDC Provider plugin token impersonation scored CVSS 9.1. Defender playbook for CI/CD identity infrastructure.
Docker and Container Security Best Practices: A Combined Checklist
A single, practical checklist covering dockers and containers together — image build, runtime config, and CI gates — instead of treating Docker security and container security as separate problems.
GitHub Actions Supply Chain Attack: The tj-actions/changed-files Compromise
Attackers compromised the popular tj-actions/changed-files GitHub Action, injecting credential-stealing code that affected over 23,000 repositories. A textbook software supply chain attack.
Container Image Vulnerability Scanning in CI
How to wire container image vulnerability scanning into your CI pipeline so builds fail on real risk instead of shipping unscanned images to production.
OpenTelemetry for Supply Chain Traces: Instrumenting the Pipeline
How OpenTelemetry turns CI/CD pipelines into a traceable, queryable graph that exposes supply chain risk from source control to production deployment.
DevSecOps Automation Maturity in 2024: Where Teams Actually Stand
Industry surveys and real-world data paint a sobering picture of DevSecOps automation maturity. Most organizations are still in the early stages despite years of investment.
Woodpecker CI Security Review
A security review of Woodpecker CI, the community fork of Drone: runner isolation, secret handling, plugin ecosystem, and the trade-offs of running a self-hosted lightweight CI.
Go Build Cache Poisoning Risks
The Go build cache makes builds fast and reproducible, but a poisoned cache can reuse malicious compiled output indefinitely while the source looks clean.
Grafana Loki for Build Pipeline Logs: Patterns That Scale
Design a Loki-based log pipeline for CI/CD observability and supply chain forensics. Labels, retention, LogQL patterns, and cost discipline from the field.
Concourse CI Supply Chain Hardening
A practical hardening guide for Concourse CI: resource type trust, worker isolation, team-level RBAC, and the var source security that underpins the platform's multi-tenancy model.