Cloud Security
GCP Cloud Build + Workload Identity Federation
Workload Identity Federation is the right way to give Cloud Build and external CI access to GCP. Here is the architecture, the traps, and the rollout plan.
Feb 1, 20267 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Workload Identity Federation is the right way to give Cloud Build and external CI access to GCP. Here is the architecture, the traps, and the rollout plan.
A senior engineer's 2026 playbook for hardening Azure DevOps against the supply chain attacks that actually happen: extensions, service connections, and template injection.
CodeBuild and CodePipeline still carry the biggest AWS supply chain blast radius per dollar. Here is how to harden them in 2026 without rewriting to a different CI.
Both Prisma Cloud and Wiz have expanded into supply chain territory from cloud security origins. A head-to-head on what each actually delivers on the supply chain dimension.
CNAPP has become the dominant category in cloud security. But the label covers wildly different capabilities. A clear-eyed look at what CNAPPs do, where they fall short, and how supply chain security fits in.
Service-linked roles are the soft underbelly of AWS IAM. We catalogue the 2024-2025 abuse primitives and the detection queries that catch them.
Cutting through the CWPP marketing noise to identify the capabilities that genuinely protect cloud workloads from modern threats.
A review of Prisma Cloud's container and cloud workload security features, covering image scanning, runtime protection, compliance, and the Twistlock heritage.
What CSPM actually does, where it falls short, and how to get real value from posture management instead of drowning in alerts.
Weekly insights on software supply chain security, delivered to your inbox.