DevSecOps
Drone CI Supply Chain Hardening 2026
A 2026 hardening guide for Drone CI: plugin trust, runner isolation, signed pipelines, secret scoping, and integrating Drone with SLSA and sigstore.
Apr 19, 20266 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A 2026 hardening guide for Drone CI: plugin trust, runner isolation, signed pipelines, secret scoping, and integrating Drone with SLSA and sigstore.
AWS CodePipeline is where most AWS-native supply chain attacks land in 2026. This is the defence blueprint that actually works in production accounts.
Shift-left only works when developers stop noticing it. A 2026 playbook for moving supply chain checks earlier without burning the people who ship code.
Azure DevOps pipelines hold more production deploy power than any other system in many enterprises. The 2026 supply chain controls are not optional anymore.
The editor is the highest-leverage place to catch supply chain risk. A design guide for building IDE-time feedback that developers actually want.
How to manage CircleCI orb trust in 2026: certified versus uncertified orbs, version pinning, contexts, OIDC, and the controls that hold under real attacker pressure.
Cloud Build has the strongest native supply chain primitives of any major CI service. Most GCP shops are still not using them. This is the 2026 blueprint.
The pull request is the highest-stakes moment in shift-left. A field guide to designing PR policy gates that block bad code without breaking trust.
Cosign-signed images in ECR are no longer a side project. This is how to roll out signing across an AWS estate without breaking the deploy pipeline.
Weekly insights on software supply chain security, delivered to your inbox.