Safeguard
Tag

devsecops

Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.

706 articles

DevSecOps

What is a CI/CD Pipeline

A CI/CD pipeline automates code from commit to deployment—but SolarWinds, Codecov, and CircleCI show it's also a top supply-chain attack target.

Jan 25, 20266 min read
DevSecOps

GitHub Actions: SHA-Pin Tags or Get Burned

Tag-pinning Actions feels fine until a maintainer gets compromised. Here is why SHA-pinning is the only serious option in 2026 and how to operationalize it.

Jan 24, 20266 min read
AI Security

What is Navigating AI for Source Code Analysis

AI source code analysis pairs LLMs with static analysis to cut false positives and speed triage -- but reachability data still decides what's real.

Jan 24, 20266 min read
DevSecOps

Compromised npm packages in the React and Next.js build p...

A react npm supply chain incident case study: how a phishing attack on a single maintainer compromised chalk, debug, and other build-pipeline dependencies.

Jan 23, 20268 min read
DevSecOps

Git Hooks as Supply Chain Controls in 2026

Server-side and client-side git hooks are an underused control surface for supply chain risk. Here is what to enforce, where to enforce it, and what to leave alone.

Jan 22, 20266 min read
Industry Analysis

Why Scanning Alone Doesn't Work Anymore

Scanners generate findings. Programs produce outcomes. After a decade of dashboards and CVE counts, it is time to admit the gap between the two is the actual security problem.

Jan 22, 20267 min read
SecOps

Network Security Automation: What to Automate First

Network security automation pays off fastest on the repetitive, high-volume tasks — not on the judgment calls teams are tempted to automate first.

Jan 22, 20265 min read
DevSecOps

What Is KICS? Checkmarx's Open Source IaC Scanner Explained

Checkmarx KICS is a free, open source static analysis tool for infrastructure-as-code that scans Terraform, CloudFormation, Kubernetes manifests, and more for misconfigurations before they're ever deployed.

Jan 22, 20265 min read
Industry Analysis

A Tale of Two Scanners: Siloed Scanning vs AI-Powered Correlation

Siloed scanners flood teams with disconnected alerts. Here's why AI powered vulnerability correlation is becoming the industry's answer to alert fatigue.

Jan 22, 20268 min read
Cloud Security

Best practices for implementing least-privilege IAM polic...

A practical guide to designing least-privilege IAM policies in AWS: permission boundaries, policy patterns, and habits that keep access tight as teams scale.

Jan 21, 20267 min read
Application Security

What is Snyk Code (SAST Tool Category Overview)

Snyk Code explained: what it is, how its SAST engine works, its limits, category competitors, and where reachability closes the gap.

Jan 20, 20266 min read
Cloud Security

Automating secret rotation with AWS Secrets Manager

A step-by-step guide to configuring AWS Secrets Manager rotation for RDS credentials, deploying the rotation Lambda function, and verifying it actually works.

Jan 20, 20268 min read
devsecops (Page 36) — Safeguard Blog