DevSecOps
Release Management Security Checklist
A pre-release security checklist that covers dependency verification, vulnerability scanning, SBOM generation, and artifact integrity for every production release.
Dec 28, 20226 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
A pre-release security checklist that covers dependency verification, vulnerability scanning, SBOM generation, and artifact integrity for every production release.
The software industry runs on open source maintained by unpaid volunteers. Until we fix the funding problem, we can't fix the security problem.
Container images are opaque by default. Here's how to crack them open with SBOMs to see exactly what's running in production.
When a dependency becomes a security liability, migration is the only real fix. Here is a structured approach to dependency migration that minimizes risk and disruption.
The way open source projects get funded directly shapes their security outcomes. From corporate sponsorship to bounty programs, each model creates different incentives and blind spots.
CycloneDX is more than a component list. This deep dive covers services, vulnerabilities, compositions, and the parts of the spec most teams overlook.
Container security matured significantly in 2021, but the vulnerability landscape in base images, registries, and runtime configurations remains concerning.
GitHub Actions workflows execute third-party code with access to your repository secrets. Most teams don't realize how much trust they're placing in action authors.
Open source powers the modern internet, but its security model is under strain. Here's the 2021 landscape of open source risk, from funding to maintainer burnout to malicious packages.
Weekly insights on software supply chain security, delivered to your inbox.