secrets-management
Safeguard articles tagged "secrets-management" — guides, analysis, and best practices for software supply chain and application security.
90 articles
Securing a Dockerized Rails Local Dev Environment
A misplaced master.key or a permissive COPY . . can bake Rails credentials into an image layer forever — here's how to Dockerize Rails dev safely.
Securing Playwright E2E Tests in GitHub Actions Without Leaking Secrets
A 2025 supply-chain attack on tj-actions/changed-files hit 23,000+ repos and dumped secrets into public logs — the same CI patterns power most Playwright pipelines.
Securing the Argo CD to Kubernetes GitOps Pipeline
One symlinked Helm values file (CVE-2022-24348, CVSS 7.7) let attackers read secrets across Argo CD tenants — GitOps trust needs hardening, not just adoption.
Docker secrets management without Kubernetes: BuildKit, Swarm, and env vars compared
BuildKit's --secret flag shipped in Docker 18.09 in 2018, yet ENV and --build-arg leaks into image layers remain the most common way containers ship credentials.
Incident response playbook for a compromised dependency or CI action
23,000+ repos leaked secrets when tj-actions was hijacked in March 2025. Here's the revoke, rotate, and audit playbook for when it's your turn.
Reconstructing the tj-actions/changed-files compromise
CVE-2025-30066 hit CISA's KEV list within 3 days: 23,000+ repos ran a poisoned GitHub Action that dumped CI secrets straight into public build logs.
Docker Layer Caching Security Risks (and How to Avoid Them)
Layer caching makes builds fast — and quietly bakes secrets into layers, hides unpatched base images, and poisons shared CI caches. Here is how to keep caching without the exposure.
The AppSec Program Spring-Cleaning Checklist
The xz-utils backdoor sat in a maintainer's commits for over two years before a Postgres developer's slow SSH login exposed it in March 2024. Most AppSec programs never audit for that kind of drift.
Data loss prevention for developers: stopping leaks before they hit the network
CWE-532 covers secrets logged in plaintext — the exact bug that led Twitter to reset every password on May 3, 2018. Network DLP can't catch it; your code has to.
Protect the Environment: How Env-Var Leakage Happens in CI/CD
One tampered Bash script exposed roughly 23,000 Codecov customers' credentials for two months. Environment-variable leakage is a recurring CI/CD failure mode, not a one-off.
Hardening CI/CD Pipelines End to End
A leaked Codecov credential let attackers read CI secrets from 23,000+ customers for two months in 2021. Here's how to close every stage of that gap.
Cloud Secrets Management: A Lifecycle Guide for 2026
A lifecycle approach to managing secrets across AWS, Azure, and GCP — storage, distribution, rotation, and detection — with Secrets Manager, Key Vault, Secret Manager, and CI/CD examples.