devsecops
Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.
706 articles
Application Security Architecture: Design Patterns That Hold Up
Good application security architecture is a small set of repeatable patterns — trust boundaries, defense in depth, least privilege — applied consistently, not a document nobody reads.
How to implement DevSecOps in 4 steps
A concrete, 4-step playbook for implementing DevSecOps — pipeline gating, SBOM generation, reachability-based triage, and auto-fix PRs.
The 4 best DevSecOps tools for a secure DevOps workflow
The 4 DevSecOps tool categories a secure pipeline needs — SCA, SAST, container/IaC scanning, secrets scanning — with real incidents and fixes.
Building a security-conscious CI/CD pipeline
CI/CD pipelines are now the top supply chain target. Here's how to build one with real controls—secrets, scoping, SBOMs, and provenance.
8 tips for securing your CI/CD pipeline
Real incidents like tj-actions and xz-utils show how CI/CD pipelines get compromised. Eight concrete, actionable tips to lock yours down.
AI Security Code Review for Pull Requests
How AI code review security works in pull requests, where Endor Labs stops short, and what closes the gap between diff review and real supply chain risk.
Building a secure CI/CD pipeline with GitHub Actions
The tj-actions breach exposed secrets in 23,000 repos. Here's how pwn requests, unpinned tags, and self-hosted runners put your CI/CD at risk.
Exploring vulnerabilities in GitHub Actions workflows
From the tj-actions/changed-files hijack to PyTorch's self-hosted runner breach, real incidents show how GitHub Actions workflows keep getting exploited.
Securing self-hosted GitHub Actions runners
Self-hosted GitHub Actions runners trade GitHub's ephemeral isolation for persistent infrastructure access — here's how real incidents like CVE-2025-30066 exploited that gap.
Package Firewall: Blocking Malicious Dependencies at Inst...
Malicious npm and PyPI packages are published daily. See why a package firewall that blocks at install time stops attacks that post-hoc scanners catch too late.
Secrets management: tools and best practices
Secrets leak because of workflow gaps, not carelessness. Here's how vaults, scanners, and rotation policies actually stop credential exposure.
Finding and fixing exposed hardcoded secrets in GitHub projects
Hardcoded secrets leak into GitHub every day and get exploited within minutes. Here's how to find, fix, and prevent exposed credentials at scale.