devsecops
Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.
706 articles
SBOM as a supply chain defense strategy
SBOMs turn "are we affected?" from a weeks-long fire drill into a query. Here's how they defend against real supply chain attacks like Log4Shell and XZ Utils.
10 Docker image security best practices
Ten concrete Docker image security practices — minimal base images, secret handling, reachability-based scanning, non-root runtimes, and SBOMs — with real CVEs and data.
Unified AppSec platform vs. stitched-together point solut...
Checkmarx built its AppSec suite through years of acquisitions. Safeguard built one risk graph. Here's how to verify which model actually reduces triage work.
Scanning container images in CI/CD pipelines
Where to put container image scanning in your CI/CD pipeline, what it actually catches, and how to stop CVE floods from blocking every build.
Kubernetes RBAC best practices
RBAC drift and over-broad bindings are the top cause of Kubernetes lateral movement. Six concrete, question-first practices to lock down access before it's exploited.
Secrets detection and remediation best practices
Leaked API keys still cause breaches within minutes. Here's how secrets detection and remediation should work in practice, and where scanner-only tools fall short.
Securing Kubernetes Secrets management
Base64 isn't encryption. Here's how Kubernetes Secrets actually get exposed, and the encryption, RBAC, and rotation controls that fix it.
Securing AI coding assistants (Claude Code, Copilot, etc.)
AI coding assistants like Claude Code and Copilot introduce new supply chain risks. Here's what's actually going wrong and how to secure your pipeline.
Code-to-cloud security (CNAPP-style end-to-end protection)
Checkmarx scans code and pipelines well, but stops short of live cloud context. Here is what code-to-cloud security actually requires, with real breach examples.
Detecting vulnerabilities in multi-stage Docker builds
Multi-stage Docker builds hide vulnerabilities, leaked secrets, and untracked dependencies in discarded layers. Here's what final-image scans miss and how to catch it.
DevSecOps and CI/CD pipeline security
CI/CD pipelines are now a prime attack surface. Here's what Checkmarx's SAST-first approach misses, and how Safeguard secures the full pipeline.
Keeping Docker secrets secure without Kubernetes
Docker ships with tmpfs-backed Swarm secrets, BuildKit secret mounts, and Compose file secrets — here's how to use them without Kubernetes.