DevSecOps
GitHub Actions: SHA-Pin Tags or Get Burned
Tag-pinning Actions feels fine until a maintainer gets compromised. Here is why SHA-pinning is the only serious option in 2026 and how to operationalize it.
Jan 24, 20266 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Tag-pinning Actions feels fine until a maintainer gets compromised. Here is why SHA-pinning is the only serious option in 2026 and how to operationalize it.
Pre-commit hooks feel like a free security win until you ship them at scale. Here are the failure modes, trust boundaries, and escape hatches that bite.
Shift-left security doesn't mean dumping security tools on developers. Here's a practical guide to integrating security into your development workflow without killing velocity.
Rotating tokens, OIDC federation, and scoped runners are table stakes in 2026. Here is how senior engineers design CI secrets that do not leak on bad days.
A technical look at WASI Preview 2, the component model, and capability-based isolation for running untrusted code inside supply chain tooling.
Run reachability analysis on every pull request to slash vulnerability false positives by 70%+, gate merges on exploitable findings, and keep devs focused.
JFrog Artifactory and Sonatype Nexus both remain viable enterprise artifact repositories in 2025. A head-to-head on scale, security, and the decision factors that actually matter.
Detailed runbooks for responding to dependency CVE disclosures across languages and ecosystems, with roles, commands, and timelines tuned for automation.
A 2025 buyer's guide comparing JFrog Artifactory, Sonatype Nexus, GitHub Packages, Google Artifact Registry, and Cloudsmith on ecosystems, policy, and TCO.
Weekly insights on software supply chain security, delivered to your inbox.