devsecops
Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.
706 articles
DevSecOps Automation Maturity in 2024: Where Teams Actually Stand
Industry surveys and real-world data paint a sobering picture of DevSecOps automation maturity. Most organizations are still in the early stages despite years of investment.
Hardening GitLab vs GitHub Default Settings
GitLab and GitHub both ship with defaults that prioritize usability. A head-to-head on the specific hardening steps each platform needs before it is safe for enterprise use.
Woodpecker CI Security Review
A security review of Woodpecker CI, the community fork of Drone: runner isolation, secret handling, plugin ecosystem, and the trade-offs of running a self-hosted lightweight CI.
Container Security Best Practices for 2025: Beyond Image Scanning
Container security has evolved far past vulnerability scanning. Here is what mature container security programs look like heading into 2025.
Go Build Cache Poisoning Risks
The Go build cache makes builds fast and reproducible, but a poisoned cache can reuse malicious compiled output indefinitely while the source looks clean.
Secrets Rotation Across Microservices: A Playbook
A practical senior engineer's playbook for rotating secrets across microservices without downtime, drift, or the quiet credential leaks that come from half-done cutovers.
Self-Hosted vs SaaS Security Scanning: An Honest Comparison
Run scanners on your own metal or rent the vendor's? A cost, latency, and data-residency comparison from someone who has operated both and regretted each at least once.
GCP Terraform Provider Security Review
A security-focused review of the Google Terraform providers: provenance, authentication paths, state handling, and the misconfigurations that consistently produce incidents across the Google and Google-Beta provider ecosystem.
Concourse CI Supply Chain Hardening
A practical hardening guide for Concourse CI: resource type trust, worker isolation, team-level RBAC, and the var source security that underpins the platform's multi-tenancy model.
Buildkite Supply Chain Hardening
A practical hardening guide for Buildkite: agent isolation, pipeline upload security, plugin risks, and the agent-token rotation strategy that keeps the trust model intact.
Maven Release Plugin Hardening
The Maven Release Plugin is the oldest piece of release automation most Java shops still run. A look at the hardening steps it usually needs.
go generate Supply Chain Risks
go generate is a seam where arbitrary commands run with the full privileges of the developer, and it does not show up in any manifest of trusted dependencies.