DevSecOps
CLI Tool Design For Developer Security Checks
A security CLI lives or dies on the experience of typing it. A design guide for building security tooling that respects the developer's terminal.
Mar 30, 20268 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A security CLI lives or dies on the experience of typing it. A design guide for building security tooling that respects the developer's terminal.
A 2026 supply chain security baseline for Jenkins: plugin hygiene, agent isolation, Pipeline-as-Code discipline, credentials, and provenance integration.
Every security tool spends developer attention. A framework for budgeting friction across IDE, CLI, and PR-time supply chain checks without going bankrupt.
Shift-left is necessary but insufficient. A program design that distributes supply chain checks across IDE, CLI, PR, build, and runtime — without redundancy.
A 2026 hardening checklist for GitLab CI: ID tokens, protected branches, runner isolation, included templates, and the controls that actually shrink blast radius.
Trusted Publishing made PyPI safer, but leaked short-lived OIDC tokens in CI logs kicked off a credential-replay campaign that PyPI, GitHub, and Sonatype all tracked in 2025.
Security champions are the human layer that makes shift-left work. A 2026 program design for selecting, training, and retaining champions in engineering.
A pragmatic 2026 hardening checklist for GitHub Actions: OIDC, pinned actions, environment protection, reusable workflows, and the controls that actually move risk.
A year after the tj-actions/changed-files compromise leaked CI secrets across thousands of GitHub repos, what did we fix and what is still dangerously convenient?
Weekly insights on software supply chain security, delivered to your inbox.