Safeguard
Tag

secrets-management

Safeguard articles tagged "secrets-management" — guides, analysis, and best practices for software supply chain and application security.

90 articles

Supply Chain Attacks

Anatomy of the Codecov Bash Uploader compromise

A single altered line in Codecov's Bash Uploader ran undetected for 65 days, siphoning CI secrets from thousands of pipelines before anyone noticed.

Jul 16, 20266 min read
Supply Chain Attacks

Lessons from the CircleCI 2023 secrets breach

A stolen session cookie bypassed 2FA and let attackers read secrets from live memory. CircleCI's own timeline shows what fast rotation actually requires.

Jul 15, 20267 min read
Application Security

Exposed .git Directories and the Git Internals That Leak Your Source

Roughly 4.96 million IPs expose .git metadata today, and over 252,000 leak live credentials in .git/config — a 2018-era bug that never went away.

Jul 15, 20266 min read
Kubernetes Security

Native Secrets, Sealed Secrets, or Vault: Picking a Kubernetes Secrets Strategy

Kubernetes Secrets are base64-encoded, not encrypted — etcd stores them near-plaintext unless you configure encryption at rest yourself.

Jul 15, 20266 min read
Best Practices

Secure Coding Fundamentals: A No-Jargon Checklist for New Developers

Three habits — validating input, managing secrets, and pinning dependencies — sit behind most preventable breaches, from Log4Shell to the event-stream hack.

Jul 15, 20267 min read
DevSecOps

Securing Secrets and Environment Variables in GitHub Actions

A tag-pinned GitHub Action used by 23,000+ repos was rewritten to dump CI memory in March 2025 — here's how OIDC and SHA-pinning would have stopped it.

Jul 15, 20266 min read
Best Practices

AppSec anti-patterns to eliminate

23.8M secrets leaked on public GitHub in 2024 alone. Here are the AppSec anti-patterns behind numbers like that — and the concrete practices that replace them.

Jul 14, 20266 min read
Best Practices

The security hygiene checklist most engineering orgs still skip

22% of breaches start with stolen credentials, per Verizon's 2025 DBIR. A quarter-long hygiene checklist — patching, MFA, secrets, least privilege — closes most of that gap.

Jul 14, 20266 min read
Container Security

Best practices for containerizing .NET applications securely

.NET 8 gave containers a built-in non-root user and chiseled images that cut one team's CVE count 92% — most Dockerfiles still don't use either.

Jul 13, 20266 min read
Supply Chain Security

The NSA/CISA Enduring Security Framework Guide for Developers, Reviewed

NSA, CISA, and ODNI published developer supply-chain guidance in August 2022 — four years on, here's what it actually asks of your pipeline.

Jul 13, 20267 min read
Kubernetes Security

Best practices for securing Kubernetes ConfigMaps

ConfigMaps store plaintext in etcd with no size guardrail beyond 1 MiB — teams that drop credentials in them expose secrets to a far bigger RBAC audience.

Jul 13, 20266 min read
Best Practices

Security considerations for authenticating CLI tools through corporate proxies

Two 2026 curl CVEs show proxy credentials leaking across redirects and reused connections — plus why .npmrc still stores proxy passwords in plaintext.

Jul 12, 20266 min read
secrets-management — Safeguard Blog