DevSecOps
Please Build System Security Review
A hands-on security review of Please, the open-source Bazel-inspired build system, including sandbox behavior, BUILD rules, and supply chain trade-offs.
Aug 28, 20246 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A hands-on security review of Please, the open-source Bazel-inspired build system, including sandbox behavior, BUILD rules, and supply chain trade-offs.
Bicep and ARM templates produce the same deployments, but their security properties diverge — in module provenance, what-if analysis, registry trust, and review experience.
Practical security patterns for Spinnaker deployments: account isolation, pipeline template governance, artifact binding, and the CVE history behind the current authentication defaults.
A security data lake aggregates SBOMs, vulnerability data, build provenance, and runtime signals into a queryable store. This architecture enables the cross-cutting analysis that siloed tools cannot provide.
Private NuGet feeds sit in the blind spot of most security programs. The hardening work is not glamorous but the failure modes are expensive.
Rotating a few npm tokens is easy. Rotating a few thousand across a shared CI fleet is a project. A practical strategy that survives real organizations.
A security-focused look at Drone CI: runner isolation, secret handling, plugin risks, and the differences between Drone OSS, Enterprise, and the Harness transition.
Practical supply chain lessons from running Nix and Nix flakes in production, including flake.lock handling, content-addressed derivations, and cachix trust.
Compare Semgrep and CodeQL on rule authoring, language coverage, taint analysis, scan time, IDE integration, and pricing to choose the right SAST engine in 2024.
Weekly insights on software supply chain security, delivered to your inbox.