DevSecOps
How to Measure Dependency Freshness in CI
A practical CI tutorial for measuring dependency freshness, setting SLOs for version drift, and failing builds when packages fall too far behind upstream.
May 20, 20246 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A practical CI tutorial for measuring dependency freshness, setting SLOs for version drift, and failing builds when packages fall too far behind upstream.
A practitioner's view of the Pants build system's security properties, covering sandboxing, third-party resolution, and the Pants 2.x architecture.
CodeBuild projects are where most AWS supply chain compromises end up executing. Here is a practical hardening guide built from years of incident response, with specific buildspec controls and IAM patterns.
1Password has quietly become a credible secrets backend for CI/CD. A walkthrough of Connect, Service Accounts, and the CLI patterns that make 1Password Secrets Automation work in a build pipeline.
A practical, line-by-line walk through hardening Azure DevOps YAML pipelines — template injection, task version pinning, approvals, and the defaults that will bite you.
Container image scanning tools vary widely in detection rates, false positive rates, and coverage. Here is a practical assessment of the container security scanning landscape in 2024.
A case study in moving a sprawling Jenkins estate to GitHub Actions without losing supply chain visibility, artifact integrity, or developer trust.
How Bazel's hermeticity model reduces supply chain risk, with concrete WORKSPACE and MODULE.bazel examples from real migrations.
How Jenkins pipelines end up as supply chain attack vectors, covering Groovy sandbox risks, plugin CVEs, credential binding, and practical hardening for Jenkins 2.440+.
Weekly insights on software supply chain security, delivered to your inbox.