devsecops
Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.
706 articles
Reducing developer friction in AppSec adoption
Why traditional SAST tooling like Checkmarx creates developer friction, what it costs engineering teams, and how to build developer experience application security that ships.
Repository health and source-code manager (SCM) risk
Repository health—branch protection, stale permissions, leaked secrets, OAuth grants—is a supply chain risk AppSec scanners like Checkmarx can't see. Here's why it matters.
What is Static Application Security Testing (SAST)
SAST scans source code for flaws before deployment. Learn how it works, where Checkmarx-style tools fall short on supply chain risk, and how Safeguard closes the gap.
OCI image vulnerability scanning explained
A concrete breakdown of how OCI image vulnerability scanning works, where scanners miss real risk, and how to build a scan workflow that doesn't drown teams in noise.
Static Analysis Tools compared
Veracode built its name on SAST, DAST, and SCA for application code. Safeguard focuses static analysis on the software supply chain. Here's how the two actually differ.
Reducing CVEs in container base images
Base images inherit hundreds of OS-level CVEs your app never touches. Here's how reachability analysis and minimal bases cut real risk, not just counts.
Software Development Lifecycle (SDLC) security
A secure SDLC needs more than periodic scans. See where Veracode's upload-and-scan model leaves supply chain gaps, and how continuous, provenance-aware security closes them.
Scanning Terraform code for security misconfigurations
Public S3 buckets, open security groups, and wildcard IAM policies are the recurring Terraform mistakes behind most cloud breaches — here's how to catch them before apply.
Policy as code for cloud security guardrails
Policy as code turns cloud security guardrails into version-controlled, testable rules enforced automatically across IaC, Kubernetes, and CI/CD pipelines.
Pulumi security scanning best practices
Pulumi programs run as real code with live cloud credentials -- here's how to secure state files, dependencies, CrossGuard policy, and CI/CD.
Ansible playbook security scanning
Hardcoded secrets, unrestricted become, and injection-prone shell tasks turn Ansible playbooks into a single point of compromise across every host they touch.
Cloud Security Posture Management (CSPM) explained
CSPM explained: what it checks, why Gartner created the category in 2019, how it differs from CWPP/CNAPP, and why raw findings alone don't stop breaches.