DevSecOps
SBOM Review in Pull Request Workflows
An SBOM that arrives after merge is a compliance artifact. An SBOM that shows up in the PR is a security control. Here is how to wire it up without killing velocity.
Jan 28, 20266 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
An SBOM that arrives after merge is a compliance artifact. An SBOM that shows up in the PR is a security control. Here is how to wire it up without killing velocity.
Tag-pinning Actions feels fine until a maintainer gets compromised. Here is why SHA-pinning is the only serious option in 2026 and how to operationalize it.
Pre-commit hooks feel like a free security win until you ship them at scale. Here are the failure modes, trust boundaries, and escape hatches that bite.
Rotating tokens, OIDC federation, and scoped runners are table stakes in 2026. Here is how senior engineers design CI secrets that do not leak on bad days.
Doppler pitches itself as the secrets platform that gets out of developers' way. A detailed look at what works, what does not, and the trade-offs against Vault, Infisical, and the cloud-native options.
Security tools that developers hate get bypassed. The organizations with the best security outcomes are the ones that treat developer experience as a security requirement.
Platform engineering teams are becoming the stewards of developer experience. Here's how to make supply chain security a built-in capability, not a bolt-on burden.
Inside Spotify's approach to managing thousands of dependencies across hundreds of microservices, balancing developer autonomy with supply chain security.
How to integrate security earlier in the development lifecycle without turning your CI pipeline into a bottleneck that developers hate.
Weekly insights on software supply chain security, delivered to your inbox.