secrets
Safeguard articles tagged "secrets" — guides, analysis, and best practices for software supply chain and application security.
30 articles
Lessons from Shai-Hulud: The First Self-Propagating npm Worm
In September 2025, npm faced a supply chain attack that spread by itself — stealing developers' tokens, then using them to trojanize the victims' own packages. Here is how it worked.
OIDC vs Static Credentials in CI/CD (2026 Guide)
Static secrets in CI are the credential most likely to be stolen — as the CircleCI breach proved. OIDC federation issues short-lived, per-run credentials with nothing to leak. Here is how to make the switch.
The Risks of Secrets in Environment Variables (2026)
Environment variables feel like the safe place to put secrets — but they leak through crash dumps, child processes, CI logs, and container layers. Here is where env-var secrets escape and what to do instead.
Database Credential Security (2026 Guide)
Database credentials are the last door between an attacker and your data. This guide covers eliminating static passwords with IAM auth, scoping least privilege, rotating safely, and detecting leaked connection strings.
How to Scan for Secrets in a Git Repository
Find hardcoded API keys, tokens, and credentials in your working tree and full Git history, stop new leaks at commit time, and remediate a secret that has already been pushed.
Lessons from the Codecov Breach: When Your CI Secrets Walk Out the Door
For two months in 2021, Codecov's Bash Uploader quietly exfiltrated CI environment variables. Here is how a single trusted script became a mass credential-harvesting operation.
GitHub Token Security (2026 Guide)
GitHub tokens are keys to your source, your CI, and often your cloud. This guide covers PATs, fine-grained tokens, GitHub App and Actions tokens — and how to scope, store, and rotate them after the CircleCI and Heroku token thefts.
Software Supply Chain Security for DevOps Teams
DevOps teams own the pipeline, and the pipeline is now the primary target. Here is how to secure build, artifact, and deploy without turning delivery speed into collateral damage.
AWS Access Key Security Best Practices (2026)
Long-lived AWS access keys are the single most abused cloud credential. Here is how to eliminate them where you can, harden the ones you keep, and detect leaks — with real breaches and copy-paste commands.
How to Rotate Leaked API Keys (2026 Playbook)
A leaked API key is a live credential until you kill it. Here is a provider-agnostic rotation playbook — grounded in the Toyota T-Connect and CircleCI incidents — that revokes access without breaking production.
Azure DevOps Personal Access Tokens in 2026: Rotation, Scoping, and Replacement
PATs remain the most common credential leak in Azure DevOps incidents. We trace the patterns that actually reduce risk and the migration paths that retire them entirely.
Docker BuildKit Security Best Practices for 2026
BuildKit has been the default Docker builder for years, but its security features remain underused. Here are the practices that matter in 2026.