Safeguard
Tag

devsecops

Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.

706 articles

Industry Analysis

What is Software Supply Chain Security (SSCS)?

SolarWinds, Log4Shell, and the XZ Utils backdoor show why supply chain security now means more than SBOMs. Here's what SSCS actually covers—and where Anchore's approach falls short.

Mar 27, 20267 min read
AI Security

Prompt Injection in CI/CD Pipelines: Attack Paths and Defenses

When LLMs review PRs, triage issues, and fix builds, every commit message becomes attacker input. The concrete attack paths through GitHub Actions and what blocks them.

Mar 26, 20266 min read
Industry Analysis

Best practices for securing the software supply chain

From the xz backdoor to SolarWinds, real incidents show why SBOMs, build provenance, and continuous monitoring matter more than scanning alone.

Mar 26, 20267 min read
DevSecOps

What is DevSecOps? (principles, workflow, tooling)

DevSecOps explained: the principles, CI/CD workflow, and scanning tools that build security into every commit instead of bolting it on at release.

Mar 26, 20267 min read
DevSecOps

Anchore's approach to DevSecOps (case for shift-left secu...

How Anchore's devsecops approach uses SBOMs and shift-left scanning to catch vulnerabilities early, and why runtime visibility still matters.

Mar 26, 20268 min read
DevSecOps

CI/CD security and compliance integration

How CI/CD pipelines became the top supply chain attack surface, where scan-only tools like Anchore fall short on compliance evidence, and how Safeguard unifies both.

Mar 26, 20267 min read
DevSecOps

Developer Friction Budget For Supply Chain Tools

Every security tool spends developer attention. A framework for budgeting friction across IDE, CLI, and PR-time supply chain checks without going bankrupt.

Mar 25, 20268 min read
DevSecOps

Gitleaks Secret Scanning Recipes for 2026

Practical Gitleaks configurations and workflows for 2026, including pre-commit setup, monorepo tuning, custom rules, and how to avoid the false-positive treadmill.

Mar 25, 20265 min read
AI Security

Guardrails for Autonomous Code-Fixing Agents

AI agents can now open pull requests that patch vulnerabilities on their own. Without guardrails — scoped permissions, test gates, human merge approval — they can also break builds and introduce new flaws at machine speed.

Mar 24, 20266 min read
DevSecOps

Zero Trust for CI/CD Pipelines: A Concrete Blueprint

CI/CD runners are a top attacker target. Here's a concrete zero-trust blueprint using OIDC federation, pinned action SHAs, and short-lived identities.

Mar 24, 20268 min read
AppSec

Application Security Automation: What to Automate First

Automation pays off in a strict order: dependencies, secrets, static analysis, then dynamic testing. Here is the sequence, why it works, and what should stay manual.

Mar 24, 20266 min read
Compliance

DoD software factory reference design and secure software...

What a real DoD software factory requires under the DevSecOps Reference Design, where Anchore's scanning fits and falls short, and how continuous SBOM evidence enables cATO.

Mar 23, 20267 min read
devsecops (Page 25) — Safeguard Blog