secrets-management
Safeguard articles tagged "secrets-management" — guides, analysis, and best practices for software supply chain and application security.
90 articles
Anatomy of the Codecov Bash Uploader compromise
A single altered line in Codecov's Bash Uploader ran undetected for 65 days, siphoning CI secrets from thousands of pipelines before anyone noticed.
Lessons from the CircleCI 2023 secrets breach
A stolen session cookie bypassed 2FA and let attackers read secrets from live memory. CircleCI's own timeline shows what fast rotation actually requires.
Exposed .git Directories and the Git Internals That Leak Your Source
Roughly 4.96 million IPs expose .git metadata today, and over 252,000 leak live credentials in .git/config — a 2018-era bug that never went away.
Native Secrets, Sealed Secrets, or Vault: Picking a Kubernetes Secrets Strategy
Kubernetes Secrets are base64-encoded, not encrypted — etcd stores them near-plaintext unless you configure encryption at rest yourself.
Secure Coding Fundamentals: A No-Jargon Checklist for New Developers
Three habits — validating input, managing secrets, and pinning dependencies — sit behind most preventable breaches, from Log4Shell to the event-stream hack.
Securing Secrets and Environment Variables in GitHub Actions
A tag-pinned GitHub Action used by 23,000+ repos was rewritten to dump CI memory in March 2025 — here's how OIDC and SHA-pinning would have stopped it.
AppSec anti-patterns to eliminate
23.8M secrets leaked on public GitHub in 2024 alone. Here are the AppSec anti-patterns behind numbers like that — and the concrete practices that replace them.
The security hygiene checklist most engineering orgs still skip
22% of breaches start with stolen credentials, per Verizon's 2025 DBIR. A quarter-long hygiene checklist — patching, MFA, secrets, least privilege — closes most of that gap.
Best practices for containerizing .NET applications securely
.NET 8 gave containers a built-in non-root user and chiseled images that cut one team's CVE count 92% — most Dockerfiles still don't use either.
The NSA/CISA Enduring Security Framework Guide for Developers, Reviewed
NSA, CISA, and ODNI published developer supply-chain guidance in August 2022 — four years on, here's what it actually asks of your pipeline.
Best practices for securing Kubernetes ConfigMaps
ConfigMaps store plaintext in etcd with no size guardrail beyond 1 MiB — teams that drop credentials in them expose secrets to a far bigger RBAC audience.
Security considerations for authenticating CLI tools through corporate proxies
Two 2026 curl CVEs show proxy credentials leaking across redirects and reused connections — plus why .npmrc still stores proxy passwords in plaintext.