secrets
Safeguard articles tagged "secrets" — guides, analysis, and best practices for software supply chain and application security.
30 articles
Gitleaks Secret Scanning Recipes for 2026
Practical Gitleaks configurations and workflows for 2026, including pre-commit setup, monorepo tuning, custom rules, and how to avoid the false-positive treadmill.
How to Rotate Leaked Secrets With Automation (2026)
The 2026 playbook for automated secret rotation: detection pipelines, credential broker patterns, blast-radius analysis, and CI integration that actually holds up in production.
Codecov Bash Uploader 2021: A Supply Chain Retrospective
The Codecov bash uploader compromise was the quiet supply chain attack that exposed how CI secrets flow through every customer's pipeline. A five-year look back.
Secrets Management in CI Pipelines: 2026 Guide
Rotating tokens, OIDC federation, and scoped runners are table stakes in 2026. Here is how senior engineers design CI secrets that do not leak on bad days.
Pre-Commit Hooks Security Recipes for 2026
Practical pre-commit framework recipes that catch secrets, malicious packages, and risky changes before they reach your remote, without slowing developers down.
How to Vet a GitHub Action Before You Trust It with Secrets
Third-party Actions run with your repo's token and secrets. A vetting routine: read the source at the pinned SHA, audit the bundled dist, scope permissions, and contain egress.
What Is Key Management? Protecting the Keys That Protect Everything
Key management is the discipline of generating, storing, rotating, and retiring cryptographic keys safely. Strong encryption is only as good as the way its keys are handled.
Dev Machine Secrets: The Exfiltration Risks
Engineer laptops are the softest target in most organizations. Here is a senior engineer's look at the real exfiltration paths for developer secrets and how to shut them down.
Secrets Rotation Across Microservices: A Playbook
A practical senior engineer's playbook for rotating secrets across microservices without downtime, drift, or the quiet credential leaks that come from half-done cutovers.
age + SOPS: A Git-Native Secrets Workflow
How age and SOPS together deliver a lightweight, auditable, Git-native secrets workflow that stands up to real production use without a vault server.
AWS SSM Parameter Store Security
Parameter Store is everywhere in AWS workloads, which means it accumulates secrets, configuration, and bad IAM over time. Here is the security review I run on every Parameter Store deployment.
CyberArk Conjur for Enterprise Secrets Management
Where Conjur fits in 2024 for enterprise secrets management, what it does well, where it hurts, and how to roll it out without drowning the platform team.