Safeguard
Tag

secrets-management

Safeguard articles tagged "secrets-management" — guides, analysis, and best practices for software supply chain and application security.

90 articles

Container Security

Securing a Dockerized Rails Local Dev Environment

A misplaced master.key or a permissive COPY . . can bake Rails credentials into an image layer forever — here's how to Dockerize Rails dev safely.

Jul 12, 20266 min read
DevSecOps

Securing Playwright E2E Tests in GitHub Actions Without Leaking Secrets

A 2025 supply-chain attack on tj-actions/changed-files hit 23,000+ repos and dumped secrets into public logs — the same CI patterns power most Playwright pipelines.

Jul 12, 20267 min read
Kubernetes Security

Securing the Argo CD to Kubernetes GitOps Pipeline

One symlinked Helm values file (CVE-2022-24348, CVSS 7.7) let attackers read secrets across Argo CD tenants — GitOps trust needs hardening, not just adoption.

Jul 12, 20266 min read
Container Security

Docker secrets management without Kubernetes: BuildKit, Swarm, and env vars compared

BuildKit's --secret flag shipped in Docker 18.09 in 2018, yet ENV and --build-arg leaks into image layers remain the most common way containers ship credentials.

Jul 10, 20266 min read
Supply Chain Security

Incident response playbook for a compromised dependency or CI action

23,000+ repos leaked secrets when tj-actions was hijacked in March 2025. Here's the revoke, rotate, and audit playbook for when it's your turn.

Jul 10, 20266 min read
Supply Chain Attacks

Reconstructing the tj-actions/changed-files compromise

CVE-2025-30066 hit CISA's KEV list within 3 days: 23,000+ repos ran a poisoned GitHub Action that dumped CI secrets straight into public build logs.

Jul 9, 20266 min read
Container Security

Docker Layer Caching Security Risks (and How to Avoid Them)

Layer caching makes builds fast — and quietly bakes secrets into layers, hides unpatched base images, and poisons shared CI caches. Here is how to keep caching without the exposure.

Jul 8, 20266 min read
DevSecOps

The AppSec Program Spring-Cleaning Checklist

The xz-utils backdoor sat in a maintainer's commits for over two years before a Postgres developer's slow SSH login exposed it in March 2024. Most AppSec programs never audit for that kind of drift.

Jul 8, 20266 min read
Best Practices

Data loss prevention for developers: stopping leaks before they hit the network

CWE-532 covers secrets logged in plaintext — the exact bug that led Twitter to reset every password on May 3, 2018. Network DLP can't catch it; your code has to.

Jul 8, 20267 min read
DevSecOps

Protect the Environment: How Env-Var Leakage Happens in CI/CD

One tampered Bash script exposed roughly 23,000 Codecov customers' credentials for two months. Environment-variable leakage is a recurring CI/CD failure mode, not a one-off.

Jul 8, 20266 min read
DevSecOps

Hardening CI/CD Pipelines End to End

A leaked Codecov credential let attackers read CI secrets from 23,000+ customers for two months in 2021. Here's how to close every stage of that gap.

Jul 8, 20268 min read
Cloud Security

Cloud Secrets Management: A Lifecycle Guide for 2026

A lifecycle approach to managing secrets across AWS, Azure, and GCP — storage, distribution, rotation, and detection — with Secrets Manager, Key Vault, Secret Manager, and CI/CD examples.

Jul 7, 20265 min read
secrets-management (Page 2) — Safeguard Blog