Safeguard
Tag

policy-as-code

Safeguard articles tagged "policy-as-code" — guides, analysis, and best practices for software supply chain and application security.

56 articles

Cloud Security

Policy-as-code for Terraform: testing before you ever run apply

Checkov, OPA, and tflint each catch different Terraform mistakes — chained into CI before apply, they turn a review comment into a hard gate.

Jul 11, 20266 min read
AI Security

AI Code Generation: An Evaluation Framework for Gating Output Before Merge

NYU researchers found security weaknesses in ~40% of Copilot-generated programs. Here's how to gate AI code before it ever reaches main.

Jul 10, 20267 min read
DevSecOps

Embedding security-by-design into DevSecOps risk management across the SDLC

NIST's SSDF turns 'shift left' into eleven concrete practices — but a framework on paper doesn't stop a bad merge. Here's how to make it enforceable.

Jul 10, 20267 min read
DevSecOps

A reference architecture for automating security gates in CI/CD

29M hardcoded secrets leaked in 2025 alone. Here's a gate architecture — SAST, SCA, secrets, IaC — that catches that without adding a day to your release cycle.

Jul 9, 20267 min read
Cloud Security

Automating Security Controls on Google Cloud

Binary Authorization can block every unsigned container from reaching GKE or Cloud Run — but only if your pipeline is wired to sign images the moment they pass scanning.

Jul 8, 20267 min read
DevSecOps

The four-phase roadmap for adopting DevSecOps

Google Cloud's 2024 DORA report found AI-tool adoption correlated with worse delivery performance for the second year running — tool sprawl without a plan makes DevSecOps worse, not better.

Jul 8, 20267 min read
DevSecOps

DevSecOps on AWS: a reference architecture for CI/CD security gates

Amazon Inspector, CodePipeline manual approvals, and SLSA v1.0 (April 2023) give you the primitives — but nobody ships them wired together as one gated pipeline.

Jul 8, 20266 min read
Cloud Security

Shifting Infrastructure-as-Code security left across the SDLC

Terrascan went archived in November 2025 and tfsec folded into Trivy in 2024 — IaC scanning is consolidating fast, and where you run it matters as much as which tool you pick.

Jul 8, 20266 min read
DevSecOps

A hands-on introduction to Rego for Kubernetes admission control

OPA graduated CNCF on January 29, 2021, and Rego v1 became the default syntax in OPA v1.0.0 (Dec 2024) — here's how to write your first admission-control policies.

Jul 8, 20266 min read
DevSecOps

Rego for intermediates: combining rules with AND/OR and writing actionable error messages

Rego has no `&&` or `||` operators — AND is implicit, OR means writing the same rule twice, and most teams miss both until a policy silently passes.

Jul 8, 20267 min read
DevSecOps

Rego for security engineers: a beginner's guide to OPA policy

Rego graduated from Styra research project to a CNCF-graduated standard in under five years. Here's how to write your first real OPA/Conftest policy.

Jul 8, 20267 min read
DevSecOps

Security error budgets: gating risk instead of blocking everything

Google's SRE teams have spent an error budget on reliability since 2016 — applying the same model to security turns blanket blocking into risk-weighted gating.

Jul 8, 20267 min read
policy-as-code (Page 2) — Safeguard Blog