Incident Analysis
CircleCI Credential Rotation: The Mass-Reset Event
CircleCI told every customer to rotate every secret on January 4, 2023. Here is what actually happened and why the scope was total.
Jan 10, 20237 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
CircleCI told every customer to rotate every secret on January 4, 2023. Here is what actually happened and why the scope was total.
A hands-on walkthrough for configuring automated dependency scanning in your GitHub repositories, from Dependabot alerts to custom CI workflows.
Azure DevOps pipelines present unique supply chain risks from marketplace extensions to service connections. A breakdown of the attack surface and how to harden it.
GitHub Actions workflows execute third-party code with access to your repository secrets. Most teams don't realize how much trust they're placing in action authors.
Travis CI exposed secrets from public repo forks for weeks in 2021. Here is the exact defect, who was affected, and the permanent takeaways.
Most teams claim they've adopted DevSecOps. Few have actually matured beyond running a scanner in CI. Here's a practical maturity model to figure out where you really are.
CI/CD pipelines are the new attack surface. From poisoned dependencies to compromised build tools, here's how to lock down your software delivery infrastructure.
A single altered line in Codecov's Bash Uploader leaked CI secrets for 69 days across thousands of repos. Here is what actually happened and why.
Weekly insights on software supply chain security, delivered to your inbox.