DevSecOps
Zero Trust for CI/CD Pipelines: A Concrete Blueprint
CI/CD runners are a top attacker target. Here's a concrete zero-trust blueprint using OIDC federation, pinned action SHAs, and short-lived identities.
Mar 24, 20268 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
CI/CD runners are a top attacker target. Here's a concrete zero-trust blueprint using OIDC federation, pinned action SHAs, and short-lived identities.
Platform engineering teams are becoming the new home for security controls. Here's why that is both promising and risky.
An update PR is not a security finding. Here is a triage model that keeps reachability, risk, and engineering effort in the right conversation.
Both tools open the same kind of PR. The differences that matter at scale show up in configuration, grouping, platform support, and what happens when something breaks.
If you cannot measure your supply chain security posture, you cannot invest in it. Here are the KPIs that separate real programs from the theater.
Reproducible builds used to feel academic. After a decade of supply chain attacks, they are the shortest path from an SBOM to a verifiable artifact. Here is the case.
An IDP that makes the secure path the easy path wins. One that requires engineers to opt into security loses. Here is how to ship defaults that actually stick.
Dev containers promise reproducibility and isolation. They also pull in a long tail of scripts, dotfiles, and feature repos that most teams never audit. Here is how to fix that.
An SBOM that arrives after merge is a compliance artifact. An SBOM that shows up in the PR is a security control. Here is how to wire it up without killing velocity.
Weekly insights on software supply chain security, delivered to your inbox.