gitops
Safeguard articles tagged "gitops" — guides, analysis, and best practices for software supply chain and application security.
15 articles
Native Secrets, Sealed Secrets, or Vault: Picking a Kubernetes Secrets Strategy
Kubernetes Secrets are base64-encoded, not encrypted — etcd stores them near-plaintext unless you configure encryption at rest yourself.
Securing the Argo CD to Kubernetes GitOps Pipeline
One symlinked Helm values file (CVE-2022-24348, CVSS 7.7) let attackers read secrets across Argo CD tenants — GitOps trust needs hardening, not just adoption.
The GitOps security model: risks and controls
GitOps turns a Git repo into a deploy button — Argo CD's own CVE-2022-24348 path traversal proved what happens when that button isn't locked down.
Securing Infrastructure as Code in GitOps workflows
GitOps auto-applies every merged Terraform and Kubernetes change within minutes. Here's how CVE-2022-24348 and CVE-2025-30066 show why PR-time IaC checks are non-negotiable.
Flux CD vs Argo CD: Security Comparison for 2026
A security-focused comparison of Flux 2.5 and Argo CD 3.1: trust models, multi-tenancy, secret handling, signature verification, and the operational differences.
Argo CD Image Updater Security Considerations in 2026
How Argo CD Image Updater works, the security tradeoffs of automated image promotion, and the configuration patterns that prevent supply chain incidents.
GitOps
What is GitOps? A clear definition of the Git-driven deployment model, how it differs from DevOps, and what its security model protects against.
Argo CD Path Traversal via Malicious Helm Chart values.ya...
CVE-2022-24348 let attackers use a malicious Helm chart to path-traverse Argo CD's repo-server, exposing secrets across GitOps applications. Here's the fix.
CVE-2025-55190 in Argo CD: Patch Posture & SBOM Response
Argo CD project details API leaks repository credentials, scored CVSS 9.9. GitOps platforms are now top-tier credential targets. Defender playbook below.
age + SOPS: A Git-Native Secrets Workflow
How age and SOPS together deliver a lightweight, auditable, Git-native secrets workflow that stands up to real production use without a vault server.
FluxCD Security Model in Production
A production-focused look at FluxCD's security model, covering multi-tenancy isolation, source verification, image automation risks, and the CVE history behind the current defaults.
ArgoCD GitOps Security Depth
A deep look at ArgoCD security in production: RBAC models, repo credentials, ApplicationSet risks, and the CVEs that have shaped the current hardening defaults.