policy-as-code
Safeguard articles tagged "policy-as-code" — guides, analysis, and best practices for software supply chain and application security.
56 articles
Checkov 3.2.x Field Review: IaC Scanning in 2026
Bridgecrew's Checkov is still shipping weekly patches in 2026. We ran 3.2.527 against a 38,000-line Terraform monorepo and graded coverage, noise, and CI cost.
Snyk and HashiCorp Terraform Cloud partnership
Snyk's HashiCorp Terraform Cloud integration gates IaC risk at plan time — here's what it covers, what it misses, and how reachability closes the gap.
CI/CD security and compliance integration
How CI/CD pipelines became the top supply chain attack surface, where scan-only tools like Anchore fall short on compliance evidence, and how Safeguard unifies both.
What is Policy as Code
Policy as code turns security and compliance rules into version-controlled, testable code enforced automatically in CI/CD, admission control, and runtime.
What is Security as Code
Security as code turns policies and controls into version-controlled, pipeline-enforced rules. Here's what it looks like, why it matters, and how to adopt it.
How to set up OPA Gatekeeper for Kubernetes admission con...
A step-by-step guide to OPA Gatekeeper Kubernetes admission control: install, write constraint templates, roll out safely, and verify enforcement.
Best Terraform security and compliance tools
A practical, no-hype comparison of Terraform security tools — Checkov, tfsec/Trivy, Terrascan, Sentinel, Snyk IaC, and more — plus how Safeguard fits in.
Best policy-as-code enforcement tools
A practical buyer's guide to policy as code tools -- OPA, Kyverno, Sentinel, Checkov, InSpec, and Styra -- with honest strengths, limits, and evaluation criteria.
Best Kubernetes admission control tools
A practical comparison of Kubernetes admission control tools — OPA/Gatekeeper, Kyverno, Kubewarden, Styra, jsPolicy, and Polaris — with real strengths, limits, and evaluation criteria.
Writing a Container Security Policy That Actually Holds
Most container security policies get written once, ignored during the next sprint, and rediscovered during an audit — here's how to write one that engineers actually follow.
How Snyk Container's exclude and allow policies reduce no...
Snyk Container's exclude and allow policies scope ignore rules to specific paths and layers, filtering base-image noise without hiding real application risk.
How Snyk IaC's static analysis engine parses Terraform HC...
A technical walkthrough of how Snyk IaC parses Terraform HCL into JSON, evaluates it with OPA/Rego policies, and maps violations back to source lines.