cicd-security
Safeguard articles tagged "cicd-security" — guides, analysis, and best practices for software supply chain and application security.
22 articles
Exploring vulnerabilities in GitHub Actions workflows
From the tj-actions/changed-files hijack to PyTorch's self-hosted runner breach, real incidents show how GitHub Actions workflows keep getting exploited.
What Is the CI/CD Pipeline (and CI/CD security)?
CI/CD pipelines now hold more privileged access than any other system — yet they're the least monitored. Here's what CI/CD pipeline security really requires.
How to set up a CI/CD pipeline security gate
A practical, step-by-step guide to building a CI/CD pipeline security gate that scans, enforces vulnerability thresholds, and blocks risky builds without slowing developers down.
Setting up OIDC federation between GitHub Actions and AWS...
A step-by-step guide to setting up AWS OIDC GitHub Actions federation, from IAM provider setup to scoped trust policies, so CI/CD pipelines never need long-lived AWS keys.
Using OCI dynamic groups to authenticate CI/CD pipelines
A practical guide to eliminating static credentials in CI/CD using OCI dynamic groups, matching rules, and OCI DevOps service authentication instead of API keys.
Jenkins Stapler Unauthenticated RCE Mass-Exploited for Cr...
CVE-2018-1000861 let attackers hit Jenkins Stapler unauthenticated, planting cryptomining malware on exposed CI/CD build servers across the internet.
Jenkins Remote Code Execution via Groovy Metaclass (CVE-2...
CVE-2016-0792 let attackers bypass Jenkins' deserialization blacklist using Groovy's metaclass to achieve unauthenticated remote code execution via the CLI.
Best software supply chain observability tools
A practical, no-hype buyer's guide to software supply chain observability tools -- evaluation criteria, an honest roundup of six real vendors, and where Safeguard fits.
GitHub Actions workflow injection vulnerabilities
How GitHub Actions workflow injection lets attackers hijack CI pipelines via untrusted input, real CVEs like CVE-2025-30066, and how to detect it.
Jenkins plugin vulnerability trends report
Jenkins plugin CVEs keep piling up—missing permission checks, CSRF gaps, and a critical CVE-2024-23897 that attackers scanned for within days.