Safeguard
Tag

secrets

Safeguard articles tagged "secrets" — guides, analysis, and best practices for software supply chain and application security.

30 articles

Threat Research

Lessons from Shai-Hulud: The First Self-Propagating npm Worm

In September 2025, npm faced a supply chain attack that spread by itself — stealing developers' tokens, then using them to trojanize the victims' own packages. Here is how it worked.

Jul 8, 20266 min read
Security Guides

OIDC vs Static Credentials in CI/CD (2026 Guide)

Static secrets in CI are the credential most likely to be stolen — as the CircleCI breach proved. OIDC federation issues short-lived, per-run credentials with nothing to leak. Here is how to make the switch.

Jul 8, 20266 min read
Security Guides

The Risks of Secrets in Environment Variables (2026)

Environment variables feel like the safe place to put secrets — but they leak through crash dumps, child processes, CI logs, and container layers. Here is where env-var secrets escape and what to do instead.

Jul 5, 20266 min read
Security Guides

Database Credential Security (2026 Guide)

Database credentials are the last door between an attacker and your data. This guide covers eliminating static passwords with IAM auth, scoping least privilege, rotating safely, and detecting leaked connection strings.

Jul 4, 20266 min read
Tutorials

How to Scan for Secrets in a Git Repository

Find hardcoded API keys, tokens, and credentials in your working tree and full Git history, stop new leaks at commit time, and remediate a secret that has already been pushed.

Jul 4, 20266 min read
Threat Research

Lessons from the Codecov Breach: When Your CI Secrets Walk Out the Door

For two months in 2021, Codecov's Bash Uploader quietly exfiltrated CI environment variables. Here is how a single trusted script became a mass credential-harvesting operation.

Jul 4, 20266 min read
Security Guides

GitHub Token Security (2026 Guide)

GitHub tokens are keys to your source, your CI, and often your cloud. This guide covers PATs, fine-grained tokens, GitHub App and Actions tokens — and how to scope, store, and rotate them after the CircleCI and Heroku token thefts.

Jul 3, 20266 min read
Solutions

Software Supply Chain Security for DevOps Teams

DevOps teams own the pipeline, and the pipeline is now the primary target. Here is how to secure build, artifact, and deploy without turning delivery speed into collateral damage.

Jul 3, 20266 min read
Security Guides

AWS Access Key Security Best Practices (2026)

Long-lived AWS access keys are the single most abused cloud credential. Here is how to eliminate them where you can, harden the ones you keep, and detect leaks — with real breaches and copy-paste commands.

Jul 2, 20266 min read
Security Guides

How to Rotate Leaked API Keys (2026 Playbook)

A leaked API key is a live credential until you kill it. Here is a provider-agnostic rotation playbook — grounded in the Toyota T-Connect and CircleCI incidents — that revokes access without breaking production.

Jul 1, 20267 min read
Cloud Security

Azure DevOps Personal Access Tokens in 2026: Rotation, Scoping, and Replacement

PATs remain the most common credential leak in Azure DevOps incidents. We trace the patterns that actually reduce risk and the migration paths that retire them entirely.

Apr 17, 20267 min read
Container Security

Docker BuildKit Security Best Practices for 2026

BuildKit has been the default Docker builder for years, but its security features remain underused. Here are the practices that matter in 2026.

Apr 2, 20266 min read
secrets — Safeguard Blog