devsecops
Safeguard articles tagged "devsecops" — guides, analysis, and best practices for software supply chain and application security.
706 articles
CircleCI Security Best Practices After the 2023 Breach
The January 2023 CircleCI incident forced every customer to rotate every secret. Here is what it taught us — plus hardened config.yml examples for orb pinning, restricted contexts, OIDC, and adding scanning.
Dependency Management Best Practices for Secure Software
Your app is mostly other people's code. A 2026 guide to managing dependencies securely — lockfiles, provenance, SBOMs, update strategy, and reachability — so a bad package doesn't become your breach.
The Go Vulnerability Scanning Guide: govulncheck, Reachability, and CI
Most scanners tell you a CVE exists somewhere in go.sum. govulncheck tells you whether your code can actually reach it. Here's how Go's reachability-based scanning works and how to run it well.
Policy as Code for Security: A Practical Guide
When your security rules live in a wiki, they are advice. When they live in version-controlled code the pipeline enforces, they are controls. Here is how to move security policy into code that actually runs.
Remediation Automation FAQ: Policies, Strategies, and Scaling Fixes
How to operationalize remediation automation — automation strategies, severity policies, SLAs, metrics that matter, and how a small team scales fixes across hundreds of repos.
Scanning Docker Images in CI/CD Pipelines
Scanning a container after it deploys is an incident report. Scanning it in the pipeline is a one-line diff. Here is how to gate builds on image scans without drowning developers in false positives.
Securing Container Registries: From Push to Pull
Your registry is the single point every image passes through — and a favorite target for attackers who want to poison many deployments at once. Here is how to lock it down end to end.
Shift-Left Security FAQ: 2026 Explained
Common questions about shift-left security answered for 2026 — what it means, why earlier is cheaper, how it works in practice, and how to avoid overwhelming developers.
Software Supply Chain Security for Startups
For a startup, supply chain security is less about compliance mandates and more about closing enterprise deals and surviving the incident that could end you. Here is how to get it right with a small team.
What Is a Secure SDLC (Secure Software Development Lifecycle)?
A Secure SDLC embeds security activities into every phase of software development — from planning to production — instead of bolting a security review on at the end. Here's what each phase looks like and how to build one.
Container Image Scanning Best Practices
A practical guide to container image scanning: when to scan, what to block, what scanners like Snyk miss, and how to build a policy that actually gets remediated.
Cloud Misconfiguration Prevention: Stop Breaches Before They Ship
Misconfiguration is the leading cause of cloud breaches, and it has no CVE and no patch. Here's a taxonomy of the common ones and a shift-left playbook to prevent them.