devsecops
Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.
706 articles
Auditing Elixir and Phoenix apps with mix_audit and Sobelow
A hands-on mix_audit Sobelow tutorial for scanning Elixir and Phoenix apps: dependency audits, static analysis, CI wiring, and triage tips.
Renovate vs Dependabot: Enterprise Rollout Playbook for 2026
How to choose between Renovate and Dependabot for enterprise dependency automation in 2026, with rollout patterns, failure modes, and migration paths.
Claude Code Coding Agent: Security Posture Review
A working review of Claude Code's security posture, sandboxing model, and the practical controls enterprises need to deploy it safely at scale.
Swift Package Manager dependency resolution and pinning s...
SPM trusts mutable git tags, not signed artifacts. Here's how dependency resolution, Package.resolved integrity, and pinning gaps expose Swift apps to supply chain attacks.
The Case for Autonomous Remediation Now
Manual patching is a losing race against the rate of new vulnerabilities. Autonomous remediation is not a future technology — it is the only workflow that keeps pace with modern supply chains.
Reachability Noise Reduction: Findings
The Safeguard Research team ran reachability analysis across a large corpus of real codebases. This is what we learned about which CVEs actually matter.
What Are Secure Coding Standards
Secure coding standards are enforceable rules — like OWASP and CERT — that stop specific CWEs before code ships. Here's what they cover and how to enforce them.
Jira and Docker: Integrating Security Workflows
Jira docker integration for security teams usually means auto-filing tickets from container scan findings — here's how to wire it without flooding the backlog with noise.
SBOM Review in Pull Request Workflows
An SBOM that arrives after merge is a compliance artifact. An SBOM that shows up in the PR is a security control. Here is how to wire it up without killing velocity.
DevOps Pipeline Tools: A Buyer's Map by Stage
DevOps pipeline tools cluster around six stages of the software lifecycle — mapping a shortlist to the stage it actually serves prevents the most common buying mistake: overlap without coverage.
What is Defense in Depth
Defense in depth stacks independent security layers—source, build, dependencies, artifacts, runtime—so no single failure causes a breach.
What is Credential Rotation
Credential rotation limits how long a leaked API key, password, or token stays valid. Here's how it works, how often to do it, and why automation matters.