Cloud Security
AWS CodeBuild/CodePipeline Hardening in 2026
CodeBuild and CodePipeline still carry the biggest AWS supply chain blast radius per dollar. Here is how to harden them in 2026 without rewriting to a different CI.
Jan 22, 20267 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
CodeBuild and CodePipeline still carry the biggest AWS supply chain blast radius per dollar. Here is how to harden them in 2026 without rewriting to a different CI.
A practical look at npm provenance in 2026: what statements prove, how to publish them from CI, and where they quietly fail when teams treat them as magic.
Pre-commit hooks feel like a free security win until you ship them at scale. Here are the failure modes, trust boundaries, and escape hatches that bite.
Rotating tokens, OIDC federation, and scoped runners are table stakes in 2026. Here is how senior engineers design CI secrets that do not leak on bad days.
Jenkins OIDC Provider plugin token impersonation scored CVSS 9.1. Defender playbook for CI/CD identity infrastructure.
Attackers compromised the popular tj-actions/changed-files GitHub Action, injecting credential-stealing code that affected over 23,000 repositories. A textbook software supply chain attack.
Industry surveys and real-world data paint a sobering picture of DevSecOps automation maturity. Most organizations are still in the early stages despite years of investment.
Docker's 2024 rate-limit reforms hit CI pipelines hard. Measured impact on 30 real build farms and the mirror and pull-through controls that fixed it.
CodePipeline is the glue between your source, build, and deploy. It is also the thing that gets the widest IAM role in most AWS accounts. Here is how to harden it without rewriting your pipelines.
Weekly insights on software supply chain security, delivered to your inbox.