devsecops
Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.
706 articles
What is a CI/CD Pipeline
A CI/CD pipeline automates code from commit to deployment—but SolarWinds, Codecov, and CircleCI show it's also a top supply-chain attack target.
GitHub Actions: SHA-Pin Tags or Get Burned
Tag-pinning Actions feels fine until a maintainer gets compromised. Here is why SHA-pinning is the only serious option in 2026 and how to operationalize it.
What is Navigating AI for Source Code Analysis
AI source code analysis pairs LLMs with static analysis to cut false positives and speed triage -- but reachability data still decides what's real.
Compromised npm packages in the React and Next.js build p...
A react npm supply chain incident case study: how a phishing attack on a single maintainer compromised chalk, debug, and other build-pipeline dependencies.
Git Hooks as Supply Chain Controls in 2026
Server-side and client-side git hooks are an underused control surface for supply chain risk. Here is what to enforce, where to enforce it, and what to leave alone.
Why Scanning Alone Doesn't Work Anymore
Scanners generate findings. Programs produce outcomes. After a decade of dashboards and CVE counts, it is time to admit the gap between the two is the actual security problem.
Network Security Automation: What to Automate First
Network security automation pays off fastest on the repetitive, high-volume tasks — not on the judgment calls teams are tempted to automate first.
What Is KICS? Checkmarx's Open Source IaC Scanner Explained
Checkmarx KICS is a free, open source static analysis tool for infrastructure-as-code that scans Terraform, CloudFormation, Kubernetes manifests, and more for misconfigurations before they're ever deployed.
A Tale of Two Scanners: Siloed Scanning vs AI-Powered Correlation
Siloed scanners flood teams with disconnected alerts. Here's why AI powered vulnerability correlation is becoming the industry's answer to alert fatigue.
Best practices for implementing least-privilege IAM polic...
A practical guide to designing least-privilege IAM policies in AWS: permission boundaries, policy patterns, and habits that keep access tight as teams scale.
What is Snyk Code (SAST Tool Category Overview)
Snyk Code explained: what it is, how its SAST engine works, its limits, category competitors, and where reachability closes the gap.
Automating secret rotation with AWS Secrets Manager
A step-by-step guide to configuring AWS Secrets Manager rotation for RDS credentials, deploying the rotation Lambda function, and verifying it actually works.