devsecops
Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.
706 articles
Scanning Docker Images for Vulnerabilities: How To
Knowing how to scan Docker images for vulnerabilities before they ship is the difference between catching a known CVE in CI and finding it in an incident report.
Why Snyk Code's semantic approach produces fewer false po...
Snyk Code cuts SAST false positives using semantic analysis: AST/data-flow graphs plus ML trained on real code, not regex patterns. Here is how the mechanics work.
How Snyk Code's PR and MR checks block merges on newly in...
A mechanical look at how Snyk Code's pull and merge request checks isolate net-new vulnerabilities from pre-existing debt and gate merges on policy.
How Snyk Code's incremental scanning speeds up repeated s...
Snyk Code speeds up repeat SAST scans on large codebases by re-analyzing only changed files instead of the whole repository each time.
How Snyk Container's static filesystem analysis avoids th...
How Snyk Container inspects image layers, package databases, and lockfiles without ever running the container — and where static filesystem analysis hits its limits.
How Snyk's Docker Desktop Extension scans images before t...
How Snyk's Docker Desktop extension scans local images for CVEs before push, what it can and can't detect, and where it fits with CI and registry scanning.
Application Security vs Network Security: Where the Line Is
Application security vs network security comes down to what layer you're defending — code and logic versus traffic and perimeter — and most breaches now happen in the gap between them.
How Snyk IaC scans a Terraform Plan JSON file to catch dr...
How Snyk IaC parses Terraform plan JSON's resource_changes to catch drift and misconfigurations before terraform apply — the mechanics, limits, and what it can't see.
How Snyk IaC handles Terraform modules and remote module ...
How Snyk IaC statically parses Terraform, resolves local modules inline, and why remote Registry or Git modules stay unexpanded until a Terraform plan is scanned.
How Snyk's .snyk file structures ignore rules with expiry...
How Snyk's .snyk file encodes vulnerability ignore rules using reason and expiry date fields, and what happens in CI once an exception lapses.
DevOps Maturity Models, Explained
What a devops maturity model actually measures, why devops mttr alone is a weak proxy for maturity, and how teams can measure whether devops delivery value is improving.
Source Code Security Scanning Programs That Scale
A source code security scanning program that works for 20 repos usually breaks at 200 — here's how to design one that scales with the number of teams, not just the number of scans.