Safeguard
Tag

policy-as-code

Safeguard articles tagged "policy-as-code" — guides, analysis, and best practices for software supply chain and application security.

56 articles

Cloud Security

Catching Terraform Misconfigurations Before They Ever Reach Apply

Trivy replaced tfsec in 2023 and Checkov ships thousands of policies — here's how to wire open-source Terraform scanners into CI/CD before terraform apply runs.

Jul 16, 20266 min read
Cloud Security

Azure Bicep IaC security fundamentals: secrets, module trust, and policy gates

A @secure() Bicep parameter still leaks in plaintext the moment it's written to an output — a well-documented gap most teams discover only after a deployment history review.

Jul 15, 20267 min read
Compliance & Frameworks

Automating cloud compliance checks in Terraform and CloudFormation pipelines

Terrascan went fully archived in November 2025. Here's how to gate CIS and SOC 2 checks in Terraform/CloudFormation pipelines with tools still standing.

Jul 14, 20266 min read
Cloud Security

Scanning Terraform and CloudFormation before you ever run apply

tfsec merged into Trivy in 2024 and OPA hit CNCF graduated status in 2021 — here's how to scan Terraform and CloudFormation before deploy, with a working Conftest policy.

Jul 14, 20266 min read
DevSecOps

DevSecOps best practices for secure builds: an 8-point SDLC framework

Log4Shell (Dec 2021) and the XZ Utils backdoor (Mar 2024) exposed two different SDLC failure modes. An 8-point framework closes both.

Jul 13, 20266 min read
Cloud Security

Unified identity, segmentation, and policy-as-code for multi-cloud

38% of breaches start with stolen credentials, per Verizon's 2024 DBIR — the fix for multi-cloud estates is unified identity, segmentation, and policy-as-code, not per-provider IAM.

Jul 13, 20267 min read
Cloud Security

Developer empowerment in cloud security: a guardrails-first framework

Gartner estimated through 2025 that 99% of cloud breaches would be the customer's fault, not the provider's — guardrails at the point of action are how you fix that.

Jul 12, 20267 min read
Cloud Security

Why Cloud Security Outcomes Depend on Developers, Not Gatekeepers

Gartner projected 99% of cloud security failures through 2025 would be the customer's fault — the fix is guardrails developers own, not a central team reviewing after the fact.

Jul 12, 20267 min read
Cloud Security

Secure-by-design principles for cloud architecture: prevention over detection

The 2019 Capital One breach hit 700+ S3 buckets through one SSRF call. Secure-by-design architecture stops that path before it exists.

Jul 12, 20267 min read
Cloud Security

A guide to scanning Terraform IaC for misconfigurations before deployment

tfsec folded into Trivy in February 2023. Sentinel gates plans in Terraform Enterprise. Here's how to catch misconfigured infrastructure before it's ever provisioned.

Jul 12, 20266 min read
DevSecOps

Writing Rego policies for Kubernetes admission control and CI gates

Open Policy Agent graduated CNCF on Jan 29, 2021 — yet most teams still ship Rego with no default-deny, turning a policy gate into a rubber stamp.

Jul 11, 20268 min read
Cloud Security

Policy as Code: Enforcing Cloud Security Guardrails in CI/CD Instead of Manual Review

OPA reached CNCF Graduated status in January 2021 — yet most teams still catch misconfigured IAM roles by eyeballing a pull request.

Jul 11, 20267 min read
policy-as-code — Safeguard Blog