DevSecOps
GitHub Actions: SHA-Pin Tags or Get Burned
Tag-pinning Actions feels fine until a maintainer gets compromised. Here is why SHA-pinning is the only serious option in 2026 and how to operationalize it.
Jan 24, 20266 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Tag-pinning Actions feels fine until a maintainer gets compromised. Here is why SHA-pinning is the only serious option in 2026 and how to operationalize it.
Pre-commit hooks feel like a free security win until you ship them at scale. Here are the failure modes, trust boundaries, and escape hatches that bite.
Rotating tokens, OIDC federation, and scoped runners are table stakes in 2026. Here is how senior engineers design CI secrets that do not leak on bad days.
Doppler pitches itself as the secrets platform that gets out of developers' way. A detailed look at what works, what does not, and the trade-offs against Vault, Infisical, and the cloud-native options.
Security tools that developers hate get bypassed. The organizations with the best security outcomes are the ones that treat developer experience as a security requirement.
Platform engineering teams are becoming the stewards of developer experience. Here's how to make supply chain security a built-in capability, not a bolt-on burden.
Inside Spotify's approach to managing thousands of dependencies across hundreds of microservices, balancing developer autonomy with supply chain security.
How to integrate security earlier in the development lifecycle without turning your CI pipeline into a bottleneck that developers hate.
Weekly insights on software supply chain security, delivered to your inbox.