Tag
yaml
Safeguard articles tagged "yaml" — guides, analysis, and best practices for software supply chain and application security.
4 articles
Open Source Security
Recurring vulnerability patterns in the PyPI ecosystem
PyYAML shipped two rounds of deserialization fixes in under two years — CVE-2017-18342 and CVE-2020-14343 — because the underlying pattern kept resurfacing.
Jul 14, 20266 min read
Application Security
YAML Deserialization Attacks: The Config File That Runs Code
YAML's type system allows object instantiation during parsing. In many languages, this means a YAML file can execute arbitrary code.
Feb 18, 20264 min read
DevSecOps
Azure DevOps YAML Pipeline Hardening
A practical, line-by-line walk through hardening Azure DevOps YAML pipelines — template injection, task version pinning, approvals, and the defaults that will bite you.
Apr 20, 20247 min read
Application Security
YAML Deserialization Attacks and How to Prevent Them
YAML looks innocent but its deserialization features have led to remote code execution in countless applications. Here is why and how to stay safe.
Jan 28, 20244 min read