devsecops
Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.
706 articles
Git Branching Strategies With Security Gates
Trunk-based, GitHub Flow, or GitFlow — your branching model decides where security checks can actually block bad code. Here is how to wire gates into each.
Code Scanning Tools: SAST, Secrets, and Linters Compared
SAST tools, secret scanners, and linters all read your source code but catch entirely different classes of problems — here's how to tell them apart and stack them correctly.
Application Security Testing Tools: SAST, DAST, IAST, and SCA Compared
Four scanner families see four different slices of your risk. What SAST, DAST, IAST, and SCA each catch and miss, and how to sequence them in CI without drowning developers.
DevOps Security Best Practices: Shifting Left Without Slowing Down
Shift left fails when it means shifting friction left. Here are the DevOps security best practices that catch issues early while keeping pipelines fast enough that engineers leave the gates on.
DAST Tools for DevSecOps Teams
The best DAST tools for DevSecOps teams run inside CI/CD rather than as a separate pre-launch step, and Gartner's own analysis of the DAST market backs that shift as the defining trend.
Open Source Code Scanning: Tools and Workflow
Open source code scanning tools can cover most of a small team's needs for free, but the workflow around them — what runs where, and who reviews the output — matters more than which tool you pick.
Security Testing in the Software Development Lifecycle
Security testing for software development only works when it's distributed across the SDLC, not bolted on as a single pre-release gate — here's where each test type actually belongs.
Open Source SAST Tools Worth Evaluating
A rundown of the open source SAST tools engineering teams actually use in production, and where each one runs out of road.
Docker Privileged Containers: `docker run` and Compose Risks
docker run privileged and docker compose privileged both hand a container root-equivalent access to the host — here's exactly what that means and when, if ever, it's justified.
Choosing a Private Package Registry in 2025
A 2025 buyer's guide comparing JFrog Artifactory, Sonatype Nexus, GitHub Packages, Google Artifact Registry, and Cloudsmith on ecosystems, policy, and TCO.
The Java Security Manager Is Deprecated: What to Use Instead
JEP 411 deprecated the Java Security Manager for removal, and years of accumulated java security flaws in its trust model are why the platform is retiring it rather than fixing it further.
Container Vulnerability Management: The Full Lifecycle
Container vulnerability management is a lifecycle, not a scan — here's what happens from base image selection through runtime, and where most programs quietly fall apart.