Safeguard
Tag

gitops

Safeguard articles tagged "gitops" — guides, analysis, and best practices for software supply chain and application security.

15 articles

Kubernetes Security

Native Secrets, Sealed Secrets, or Vault: Picking a Kubernetes Secrets Strategy

Kubernetes Secrets are base64-encoded, not encrypted — etcd stores them near-plaintext unless you configure encryption at rest yourself.

Jul 15, 20266 min read
Kubernetes Security

Securing the Argo CD to Kubernetes GitOps Pipeline

One symlinked Helm values file (CVE-2022-24348, CVSS 7.7) let attackers read secrets across Argo CD tenants — GitOps trust needs hardening, not just adoption.

Jul 12, 20266 min read
DevSecOps

The GitOps security model: risks and controls

GitOps turns a Git repo into a deploy button — Argo CD's own CVE-2022-24348 path traversal proved what happens when that button isn't locked down.

Jul 8, 20266 min read
Infrastructure Security

Securing Infrastructure as Code in GitOps workflows

GitOps auto-applies every merged Terraform and Kubernetes change within minutes. Here's how CVE-2022-24348 and CVE-2025-30066 show why PR-time IaC checks are non-negotiable.

Jun 16, 20267 min read
DevSecOps

Flux CD vs Argo CD: Security Comparison for 2026

A security-focused comparison of Flux 2.5 and Argo CD 3.1: trust models, multi-tenancy, secret handling, signature verification, and the operational differences.

May 13, 20266 min read
DevSecOps

Argo CD Image Updater Security Considerations in 2026

How Argo CD Image Updater works, the security tradeoffs of automated image promotion, and the configuration patterns that prevent supply chain incidents.

May 6, 20266 min read
DevSecOps

GitOps

What is GitOps? A clear definition of the Git-driven deployment model, how it differs from DevOps, and what its security model protects against.

Feb 24, 20268 min read
DevSecOps

Argo CD Path Traversal via Malicious Helm Chart values.ya...

CVE-2022-24348 let attackers use a malicious Helm chart to path-traverse Argo CD's repo-server, exposing secrets across GitOps applications. Here's the fix.

Nov 24, 20257 min read
Vulnerability Response

CVE-2025-55190 in Argo CD: Patch Posture & SBOM Response

Argo CD project details API leaks repository credentials, scored CVSS 9.9. GitOps platforms are now top-tier credential targets. Defender playbook below.

Sep 8, 20257 min read
DevSecOps

age + SOPS: A Git-Native Secrets Workflow

How age and SOPS together deliver a lightweight, auditable, Git-native secrets workflow that stands up to real production use without a vault server.

Oct 28, 20247 min read
DevSecOps

FluxCD Security Model in Production

A production-focused look at FluxCD's security model, covering multi-tenancy isolation, source verification, image automation risks, and the CVE history behind the current defaults.

Sep 10, 20247 min read
DevSecOps

ArgoCD GitOps Security Depth

A deep look at ArgoCD security in production: RBAC models, repo credentials, ApplicationSet risks, and the CVEs that have shaped the current hardening defaults.

Jun 25, 20246 min read
gitops — Safeguard Blog