DevSecOps
Ninja Build Supply Chain Considerations
Ninja is a low-level build tool, not a package manager. That framing matters for understanding its supply chain properties and common misconceptions.
Mar 28, 20247 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Ninja is a low-level build tool, not a package manager. That framing matters for understanding its supply chain properties and common misconceptions.
GitHub Advanced Security anchors many AppSec programs in 2024, but Snyk, Semgrep, Endor, and others are credible alternatives. Here is an honest comparison.
A step-by-step investigation playbook for suspected CI/CD pipeline compromise, from runner forensics to secrets rotation.
A practical hardening guide for Tekton Pipelines covering TaskRun isolation, step image provenance, workspace secrets, and the CVE history that shaped the current defaults.
Securing Argo CD deployments with RBAC, SSO integration, secret management, and network policies for production Kubernetes clusters.
SAM templates look simple and that is exactly the problem. The defaults are generous, the transforms are opaque, and the resulting stacks are often more privileged than anyone intended.
Wire Sigstore into GitHub Actions end-to-end: OIDC identity, Cosign signing, Rekor transparency, and policy-controller enforcement — with working snippets.
How Earthly's reproducible, containerized build system eliminates environment drift and strengthens build integrity for security-conscious teams.
Multi-stage builds reduce image size, but they also introduce security considerations around build secrets, layer caching, and dependency leakage.
Weekly insights on software supply chain security, delivered to your inbox.